Ryuk, one of the better-known and more insidious forms of ransomware, has been targeting hospital and healthcare providers over the last year, but exactly how it gets into networks to begin with has varied between attacks.

The path of infection for most ransomware is using phishing, followed by targeting servers with vulnerabilities. But a new case out of Europe shows how a Ryuk infection came about by a single person attempting to pirate software.

Detailed by Sophos plc’s Rapid Response team, the Ryuk infection involved a European biomedical research institute involved in COVID-19 related research along with other activities in life sciences. The unnamed institute had close partnerships with local universities and works with students on various programs.

The Ryuk attack cost the institute a week’s worth of vital research data because although it had backups, they were not fully up to date. Sophos was called in to contain and neutralize the attack, as well as working out where it had come from using logs and historical data to prevent future attacks.

Analyzing the data, it narrowed down the point of initial access: an external university student who wanted a personal copy of a data visualization software tool already being used for work but didn’t want to pay for it.

After posting a question on an online research forum asking if anyone knew of a free alternative and getting no response, the student then searched for a “crack version.” Having found an apparent copy of the software, the student downloaded it and tried to install it, but the file was pure malware. Windows Defender immediately triggered a security alarm, but the student disabled it and a firewall and tried again.

Instead of a cracked copy of the data visualization software tool, it was a malicious info-stealer that began logging keystrokes, stealing browser cookies and more, eventually finding the student’s access credentials for the institute’s network.

Thirteen days later a remote desktop connection was registered on the institute’s network using the student’s credentials. Ten days later this connection installed the Ryuk ransomware.

“It is unlikely that the operators behind the ‘pirated software’ malware are the same as the ones who launched the Ryuk attack,” said Peter Mackenzie, manager of Rapid Response at Sophos. “The underground market for previously compromised networks offering attackers easy initial access is thriving, so we believe that the malware operators sold their access on to another attacker. The RDP connection could have been the access brokers testing their access.”

Gary Ogasawara, chief technology officer at enterprise data storage company Cloudian Inc., told SiliconANGLE that internet-exposed RDP sessions are commonly exploited to infect end-user devices.

“Such sessions are intended to remotely log in to Windows computers and allow the user to securely control the device,” Ogasawara explained. “Unfortunately, hackers have become skilled at brute-force attacks on these exposed computers that enable them to take advantage of RDP vulnerabilities and insert ransomware.”

If ransomware has been deployed on a network, protection at the storage level is crucial to ensure data remains secure and available, Ogasawara added. “More specifically, by keeping an immutable backup copy of data, organizations can prevent cybercriminals from encrypting or deleting files,” he said. “This way, they have an unencrypted copy for restore if an attack were to occur, enabling them to access their data without having to pay a ransom.”

Image: Nicholas Raymond/Flickr