Monday, May 12, 2025
HomeRansomwareRyuk Ransomware Operators Employ Powershell Commands to Deploy Ransomware

Ryuk Ransomware Operators Employ Powershell Commands to Deploy Ransomware

Published on

SIEM as a Service

Follow Us on Google News

Recently, cybersecurity experts have claimed that the operators of Ryuk Ransomware are targeting severe infrastructures to extort high ransom from their victims.

In 2018, the Ryuk ransomware was spotted for the first time, and the security researchers claim that the Ryuk procured and developed by its operators from the Hermes ransomware’s source code. 

As last year one of the largest health care organizations that has more than 90,000 employees, 400 hospitals, behavioral health centers, outpatient clinics in the U.S. and U.K. have been attacked by the operators of Ryuk Ransomware.

- Advertisement - Google News

By force, the organization had to covey all their patients to other hospitals and health centers, as the attackers managed to gain access to their internal IT network and shut down all the internal computer systems of this organization in the US.

However, in the victim list of Ryuk ransomware, there are not only health organizations, even there are other infrastructures as well, and here they are:-

  • Several oil and gas companies.
  • A U.S. agency.
  • A large engineering and construction services firm.
  • City and county government.
  • A financial software provider.
  • A food and drink manufacturer.
  • A newspaper.

But, later, the FBI publicly issued a warning about the Ryuk ransomware operators in June 2020, in which they claimed that the operators of Ryuk ransomware were also targeting educational institutes like K-12 institutes.

New tactics

As initial droppers, the operators of Ryuk ransomware have used the following malware:-

But, they have now adopted new methods and tactics, “PowerShell commands” by encoding this, they do the following things:-

  • Download the first payload.
  • Disable security tools.
  • Stop data backups.
  • Scan the network.

Apart from these things, to deploy the ransomware on the infected system, they also exploit the Windows Management Instrumentation (WMIC) and BitsAdmin. 

The operators of Ryuk ransomware designed this new strategy form to empower the ransomware to remain hidden for a longer time on the infected networks without any detection.

Hits the Government Systems

By using the new strategy form and tools, the operators of Ryuk ransomware have also targeted the government systems, and during their attack, they managed to encrypt near about 2,000 internal systems and critical services.

While the experts explain that to execute this attack the operators of Ryuk have first gain access to an account of a domain administrator whose passwords were saved in a group policy.

Here, to scan the network and disable the security tools, the attackers used PowerShell; after that to copy the Ryuk to additional hosts with privileged account credentials they exploited the Windows Management Instrumentation (WMIC), PowerShell, and BitsAdmin.

Recommendations

Moreover, the U.S. federal government have suggested the companies few recommendations to combat these threats, and here they are mentioned below:-

  • Perform regular backups.
  • Risk analysis to identify all the potential issues.
  • Proper staff training.
  • Keep the systems updated with the latest updates and security patches.
  • Application whitelisting to keep track of all the approved applications.
  • Incident response to identifying and eliminate cyberattacks.
  • Business Continuity.
  • Penetration Testing.

Cybersecurity analysts have ensured that by following the above-mentioned recommendations the companies and organizations will be able to protect their users from cyber attacks like this.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Cybercriminals Hide Undetectable Ransomware Inside JPG Images

A chilling new ransomware attack method has emerged, with hackers exploiting innocuous JPEG image...

New Mamona Ransomware Targets Windows Systems Using Abused Ping Command

Cybersecurity researchers are raising the alarm about a newly discovered commodity ransomware strain dubbed Mamona,...

Play Ransomware Deployed in the Wild Exploiting Windows 0-Day Vulnerability

Patched Windows zero-day vulnerability (CVE-2025-29824) in the Common Log File System (CLFS) driver was...