[German]Who’s next? Last week the security company Prosegur was a victim, of Ryuk. Now the Ransomware Ryuk has hit the Spanish company TECNOL and is currently paralyzing t-systems and a clinics in Texas.
Ryuk is a ransomware that combines two older Trojans. The authors of the Emotet malware use the Emotet control modules to reload the Ransomware Ryuk. The Ransomware encrypts the files accessible on the computer and demands a ransom. At the beginning of 2019, the German authorities (BKA) warned against Ryuk.
Ryuk has infected TECNOL
Tecnol is a spanish company, which manufacture products for waterproofing, chemistry, insulators, surface coatings and more. The following tweet tells me that the company has become a victim of Ransomware Ryuk via Spear-Phishing.
— Germán Fernández (@1ZRR4H) December 2, 2019
Further information is not yet available to me.
USA: tsystem.com offline, clinics in Dallas affected
The following tweet by Kevin Beaumont tells me that there is also a Ransomware infection with Ryuk in the USA.
— Kevin Beaumont (@GossiTheDog) December 2, 2019
The site of T-System (has nothing to do with the Telekom mobile operator T-Systems) is offline because of a Ryuk infection (a screenshot of the server files shows this). Everything that depends on tsystem.com is affected. 40% of US clinics probably depend on T-System services.
Looking back: Ryuk at Prosegur
Last week the Spanish security company Prosegur was the victim of a successful infection with Ryuk (Ransomware incident at security company Prosegur). Subsequently I received some information from DRACOON in Regensburg (they are offering storing, managing and sharing data digitally and securely).
At the end of last week it became public that the security service provider Prosegur, based in Madrid, fell victim to the Ransomware “Ryuk”. The company’s services include the handling of automated cash processes, money logistics, value and courier logistics as well as the provision of security solutions. Prosegur operates worldwide, with 175,000 employees in 25 countries. On Wednesday afternoon, the Group confirmed the infection with the encryption Trojan Ryuk via Twitter and stated that it had taken the maximum security measures to prevent the malware from spreading internally and externally.
The Ransomware Ryuk, which makes it to employees in company networks via spam emails, is not a new phenomenon. In the current BSI Management Report 2019, the danger of this malware variant is pointed out: It is said that targeted monitoring of the Bitcoin addresses used indicates that a ransom of at least 600,000 US dollars has already been captured. Moreover, since the turn of the year 2018/2019, Ryuk has increasingly appeared in connection with Emotet and Trickbot campaigns, which shows the increased modularity of malware in general, but especially of Ransomware. Ryuk is also mentioned in the current “Bundeslagebild Cybercrime 2018” published by the Federal Criminal Police Office at the beginning of this month. Last year, the FBI published a report according to which the encryptionstrojan had been used by previously unknown attackers since August 2018 to blackmail over 100 international corporations. Individual claims amounting to up to five million US dollars are said to have been established in Bitcoins. In return, the victims were promised a decryption program.
Awareness and technical precautions
There are two levels of how companies can protect themselves in times of growing danger: organizational and the technical. On the one hand, companies should urgently sensitize their employees to harmful spam e-mails, not to open e-mails and attachments from unknown senders. Even if the recipients are already known, unexpected file attachments should not be opened without a certain amount of effort. Training and awareness for cyber attacks are therefore important building blocks to increase the security level in the company. But they can only be a supplement, because people make mistakes and professionally faked spam mails can often hardly be distinguished from legitimate messages. The use of a file-sharing solution in a company’s own branding, on the other hand, creates trust. The data exchange then takes place via a link to the stored files, and the recipient can be sure that trustworthy content will be accessed by means of the integrated URL.
The solution: Security by Design
In addition, when purchasing new business software, it is essential to ensure that it meets the highest security requirements and that the topic of security has already been taken into account during development – in other words, that it has been developed according to the “Security by Design” principle. In order to exclude an infection with Ransomware from the outset, file sharing solutions should have an integrated Ransomware protection. This is how it works: If an encryption strojan encrypts local drives or network drives despite all precautions taken, companies will still not lose a single file thanks to versioning of the trash. Finally, the data is overwritten with the encrypted ones during a Ransomware attack – the unencrypted versions of the data automatically lie in the trash and can be restored completely and undamaged. All in all, companies should raise their employees’ awareness of dangers and at the same time ensure that the solutions they use meet the highest security standards.