Resource Center  >  Blog

Exploring Ryuk and Conti Ransomware Gangs

February 6, 2024
Levan Abesadze
Tags:

Part 1 of 2

In the dynamic landscape of cyber threats, the battle between ethical and malicious actors has escalated to unprecedented levels. The shift in motivations, from mere amusement to the pursuit of financial gains, has given rise to ransomware gangs that pose a substantial threat to diverse sectors. The implications of this transformation are worrisome for organizations globally, emphasizing the critical need for vigilance and awareness. In this evolving digital battleground, staying informed becomes not only a proactive strategy but a formidable defense mechanism for safeguarding against the menace of ransomware attacks. 

Part 1 of our ransomware gangs series sheds light on two notorious groups: Ryuk and Conti. This exploration aims to uncover the tactics, evolution, and impact of these malicious entities on critical industries.

Ryuk: A Threat to Healthcare 

Ryuk, named after a fictional death spirit in Japanese folklore, has become a notorious player in the realm of cybercrime. Specializing in high-stakes ransomware attacks, this group has honed its focus on the healthcare sector, presenting a threat to medical institutions across the United states. 

Ryuk has established itself as a formidable adversary, particularly targeting hospitals in the United States. Between 2018 and 2021, the group executed a staggering 235 confirmed attacks, raking in over $100 million through their relentless ransom demands in 2020 alone. Employing hostile diplomatic relations with their targets, Ryuk often resorts to intimidation when payment is refused. This targeted approach has not only financial implications but also raises concerns about the safety and well-being of those relying on critical healthcare services. 

Tactics Evolution

The ransomware gang has not remained stagnant in their approach. Ryuk continually modifies its malware types and techniques, transitioning from the infamous Trickbot and Emotet to more sophisticated tools like BazarLoader and BazarBackdoor. These advanced tools come at a higher cost but prove to be more effective, eluding detection by many endpoint security systems. Ryuk’s ability to adapt and evolve highlights the dynamic nature of cyber threats, requiring organizations to stay one step ahead in their defense strategies. 

Deceptive Phishing Tactics 

Ryuk employs a sophisticated and diverse range of phishing tactics to infiltrate its targets. These maneuvers include posing as legal professionals or other individuals, initiating discussions on specific topics, or even claiming local affiliations, thereby introducing an additional layer of intricacy to their operations. Operating as a service, Ryuk consistently dispatches these deceptive emails on a daily basis. This relentless approach has proven highly effective, evident in instances where multiple hospitals across the USA fell victim to the same threat actors in a single day. The repercussions of their attacks on healthcare institutions are alarming, as the group strategically targets vulnerable systems, resulting in substantial disruptions to emergency care services.

Impact on healthcare

The recovery process for hospitals can span weeks, leading to disruptions in essential services. A distressing example from Manchester highlights the consequences of such attacks, where a hospital was unable to take immediate action due to the decryption of essential medical files, including X-rays and CT scans. Research has also shown that ransomware attacks have resulted in fatalities. In Germany, for instance, Dusseldorf Hospital had to redirect an emergency case involving an elderly woman with an aneurysm to another hospital in Wuppertal, which was 20 miles away. Tragically, a baby born with a brain injury in Alabama lost their life because the attackers had ransomed the hospital, rendering all computers offline.The collateral damage extends beyond financial loss, affecting patient care and endangering lives. 

Conti: The Successor to Ryuk 

Conti, a formidable successor to Ryuk in the ransomware landscape, employs a diverse array of tactics designed to infiltrate and compromise targeted systems. One distinctive characteristic of Conti’s operations is its collaboration with another gang known as Maze, utilizing RDP (Remote Desktop Protocol) brute force attacks to gain unauthorized access. In an RDP brute force attack, the attacker typically uses automated tools or scripts to repeatedly try different username and password combinations until they find the correct credentials that grant access to the targeted system. 

Unlike its predecessor, Conti strategically avoids targeting old Soviet countries and promptly exits systems using the Russian language, showcasing a level of sophistication and strategic selectiveness. 

Unique Tactics

Conti’s approach extends to its exploitation of vulnerabilities during the COVID-19 pandemic. Notably, the group poses a substantial threat to the United Kingdom by actively targeting hospitals. Unlike traditional ransomware Conti utilizes various strains with the ChaCha algorithm, enhancing the complexity of their attacks and making decryption more challenging. 

Examples of Conti’s impact on organizations are particularly distressing. The group not only encrypts essential data but also engages in the extortion of sensitive information. A significant departure from conventional ransome practices, Conti sells the victim’s data on the Darkweb even after the ransom has been paid. This dual-treat approach intensifies the consequences for organizations, as they not only face the immediate aftermath of a ransomware attack but also the potential exposure and exploitation of confidential information. 

Threat Dynamics

The collaboration between Conti and other threat actors, coupled with its ability to adapt and innovate in its tactics, presents an ongoing challenge for cybersecurity professionals. The United States government, recognizing the severity of the threat, has imposed fines for disclosing information about the criminal organization. Despite these measures, Conti’s impact is far-reaching, emphasizing the urgent need for advanced cybersecurity strategies, threat intelligence sharing, and international cooperation to mitigate the evolving risks posed by such sophisticated ransomware groups. 

Conclusion

As Ryuk and Conti continue to wreak havoc, it is imperative for organizations, especially in critical sectors like healthcare, to bolster their cybersecurity defenses. By understanding their threats and strategies, we’ve provided a foundation for organizations to strengthen their security posture. Identifying these harmful forces is the first step in securing your organization against the continually changing landscape of cyber threats. In part two of this series, we’ll explore Maze and Lockbit, offering insights to help you navigate the intricate world of ransomware threats. Stay tuned for a detailed examination of their approaches and impacts as we continue to enhance cybersecurity awareness. 

You can read part 2 of the series here.

The Role of AI in Application Security

Wednesday, March 6th 9:00 am PT

In today’s interconnected digital landscape, data exchange plays a pivotal role in web applications. Extensible Markup Language (XML) is a

See more

In the previous segment of our blog series, we looked at the operations of Ryuk and Conti ransomware groups, shedding light on their tactics and impact. In this section, we turn our attention to Maze and Lockbit, two formidable players in the cyber threat landscape, exploring their collaborative dynamics, unique characteristics, and the evolving strategies that define their ransomware campaigns. 

See more

What Is CSRF? Cross-Site Request Forgery (CSRF) is a web application attack that forces an end user to execute unwanted

See more
Get Started
Read Bright Security reviews on G2