RYUK Ransomware Cripples Mexico’s State-Owned Oil & Gas Company 

Earlier this week, a ransomware attack on Mexican state oil firm Pemex reportedly forced it to instruct all its staff to disconnect from the internet as RYUK ransomware crashed its servers. On Monday, work immediately ground to a halt with staff unable to access a range of computer systems, such as those dealing with payments.

RYUK ransomware is not normally observed until some time after the initial breach. This period could be anything from days to months, during which the hackers have ample time to carry out reconnaissance inside the infected network. The ransomware identifies and targets critical network systems in order to maximize the impact of the attack. Although it is still too early to calculate what the full cost of the ransomware attack will be to the Mexican oil giant and to the Mexican economy, the incident’s real tragedy is that it may have been preventable.

How RYUK Can Be Prevented

An RYUK ransomware attack can be short-circuited at its inception and beyond, thereby minimizing potential future damage. Failure to do this will result in all non-executable files across the target organization’s entire system being encrypted and renamed with the .ryk file extension. A ransom note, usually demanding payment in Bitcoin, will be dropped in each processed folder with the name RyukReadMe (.html or .txt). 

Even after the initial breach, significant and rapid damage limitation can be put into place. For example, a large manufacturer that recently had ransomware spreading across its network had no idea of where it was located or how it was spreading. SCADAfence cybersecurity platform was installed, immediately providing the visibility to pinpoint where the ransomware was located and then cleaned up the whole system while preventing the attack from spreading. Since SCADAfence detects any malicious activity, it can prevent ransomware such as RYUK from spreading or dropping any kind of reconnaissance software into the system. SCADAfence can pinpoint where the ransomware originally occurred, which points in the network are still vulnerable, while also offering ways to remediate the attack.

The attack on Pemex reported earlier this week is only the latest in a series of RYUK ransomware attacks now taking place across the world. In the month of June this year alone, RYUK ransomware hackers extracted over $1.1million from Florida municipalities. So widespread are the attacks, that the UK’s National Cyber Security Center (NCSC) recently put out a detailed security advisory dedicated to tackling the growing the RYUK threat. 

Traditional Cybersecurity Defenses Are Not Enough

The NCSC alert says RYUK generally attempts to try to stop anti-malware software. It is also capable of constantly adjusting itself to the infected system, installing different versions of the ransomware based on a system’s architecture. The alert added that when a RYUK infection occurs, malware is commonly observed distributing a trojan as part of the infection chain, which subsequently deploys additional post-exploitation tooling to enable credential harvesting. This remotely monitors the victim’s workstation and performs the lateral movement to other machines within the network. This initial infection enables the attacker to assess whether the machine presents a ransomware opportunity and if so, to deploy RYUK.

Given the pervasive and insidious nature of RYUK ransomware attacks and the increasing number of breaches, manufacturing and energy facilities must now install active network monitoring protection across their networks which is capable of highlighting vulnerabilities before an attack occurs as well as identifying the ransomware that may already be on the system and neutralizing it.