As with many malware attacks, the delivery method is spam emails (malspam). These emails are often sent from a spoofed address, so the sender name does not raise suspicion.
A typical Ryuk attack begins when a user opens a weaponized Microsoft Office document attached to a phishing email. Opening the document causes a malicious macro to execute a PowerShell command that attempts to download the banking Trojan Emotet. This Trojan has the ability to download additional malware onto an infected machine that retrieves and executes Trickbot, of which the main payload is spyware. This collects admin credentials, allowing attackers to move laterally to critical assets connected to the network. The attack chain concludes when the attackers execute Ryuk on each of these assets.
So, once your network has been breached, the attackers decide whether they think it’s worth the effort to further explore and infiltrate the network. If they have enough leverage to demand a large sum, then they will deploy the Ryuk ransomware.
Ryuk ransomware notes
A typical Ryuk attack begins when a user opens a weaponized Microsoft Office document attached to a phishing email. Opening the document causes a malicious macro to execute a PowerShell command that attempts to download the banking Trojan Emotet. This Trojan has the ability to download additional malware onto an infected machine that retrieves and executes Trickbot, of which the main payload is spyware. This collects admin credentials, allowing attackers to move laterally to critical assets connected to the network. The attack chain concludes when the attackers execute Ryuk on each of these assets.
So, once your network has been breached, the attackers decide whether they think it’s worth the effort to further explore and infiltrate the network. If they have enough leverage to demand a large sum, then they will deploy the Ryuk ransomware.
Ryuk ransomware notes