The ransomware is operated by Russian cybercriminal syndicate Wizard Spider, and has been infecting victims for several years. It’s been on the radar of several cybersecurity agencies, especially since its operators were ruthless enough to attack healthcare facilities in the middle of the Covid19-pandemic.
Analyzing a new sample of the ransomware at the National Agency for the Security of Information Systems (ANSSI), France’s national cybersecurity agency, researchers discovered that Ryuk can now spread from one machine to another on its own.
The ANSSI report notes that Ryuk isn’t known to propagate automatically within the network. Also, while the French researchers haven’t seen Ryuk being offered for sale on the dark web, Deloitte researchers believe the ransomware is sold as a toolkit to attackers, which means there could be several variants in circulation
In the report, ANSSI discusses a sample discovered during an incident response in early 2021, which exhibited previously absent worm-like capabilities. Using its newfound powers, the ransomware was seen to automatically spread and infect other machines in the network.
“Through the use of scheduled tasks, the malware propagates itself – machine to machine – within the Windows domain.Once launched, it will thus spread itself on every reachable machine on which Windows RPC accesses are possible,” explained the researchers.
It’s not known whether the French cybersecurity agencies have shared details about the new strain with their counterparts in other countries.
However, Ryuk has previously been the subject of a joint advisory from CISA, FBI and Department of Health and Human Services, triggered by the attack on US hospitals last year.