External Threat Management Labs Analyst

RiskIQ Has Released Its Corpus of Infrastructure and IOCs Related to Ryuk Ransomware

Ryuk Ransomware has flooded US hospitals, threatening to shut down their operations when they're needed most. Ryuk now accounts for a third of all ransomware attacks in 2020, with its operators finding success while many healthcare organizations are most vulnerable. 

However, the cybersecurity community is coming together to combat this rash of attacks, combining resources to provide network defenders with alerts and intelligence to protect our healthcare institutions. 

To do our part, RiskIQ released the entirety of the infrastructure related to the Ryuk strain of ransomware collected by RiskIQ's Internet Intelligence Graph. These expansive, unique holdings complement recent public efforts by US federal agencies and researchers at FireEye, exposing all known infrastructure these criminals use to execute their attacks. FireEye also publicly released all relevant Ryuk indicators of compromise (IOCs) it has observed in 2020.

Enter RiskiQ's Threat Intelligence Portal for the full list of Ryuk IOCs

Ryuk malware is believed to be deployed by Eastern European criminals and delivered by the same threat actors behind the Trickbot malware platform. Trickbot was the subject of a massive takedown attempt carried out by Microsoft earlier this month, reportedly cooperating with US CYBERCOM. 

Federal agencies issued an alert aimed at the United States healthcare industry, providing context on the Ryuk threat and releasing IOCs. The agencies, the Federal Bureau of Investigation (FBI), the Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS), also hosted a conference call for health care industry leaders to advise them. 

Healthcare organizations can use this RiskIQ intelligence to search their networks for signs of an attack and prevent malicious connections to other Ryuk command-and-control servers. Our researchers have organized all IOCs to include all IP addresses, domains, and SHA-256 samples we have identified, in addition to what has previously been released publicly. 

Users are encouraged to check the Internet Intelligence Portal daily to keep up-to-date with the latest developments and intelligence on Ryuk ransomware, as well as other strains of ransomware that may arise.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor