Sloppiness of Student Allows Ryuk Ransomware to Target Bio Research Institute


Cybersecurity vendor Sophos has revealed how using a 'crack' version of a data visualization tool was the cause of a major ransomware attack that cost the European research institute a week’s work and a lot of money. 

A student working at a European biomolecular research institute was allowed to use expensive data visualization software. The student was on the hunt for a free version of a data visualization software tool, but the license was most likely too expensive– so as a workaround, the student eventually elected to find a cracked version instead.

The crack triggered a malware warning from Microsoft Defender, which he not only ignored but also decided to disable the antivirus tool, as well as the firewall. Thirteen days later a remote desktop protocol (RDP) connection was registered on the institute’s network using the student’s credentials and the incident response team from Sophos learned that the crack was actually info-stealing malware. 

“A feature of RDP is that a connection also triggers the automatic installation of a printer driver, enabling users to print documents remotely. This allowed the Rapid Response investigation team to see that the registered RDP connection involved a Russian language printer driver and was likely to be a rogue connection. Ten days after this connection was made, the Ryuk ransomware was launched,” Sophos explained. 

The malware was in use by a malicious third-party for a few days, harvesting keystrokes, stealing browser cookies, clipboard data, and such. While Sophos did not go into details: how much money the operators asked for, or whether or not the institute paid the ransom, it did say that the organization lost a week’s worth of data, given that its backup wasn’t up to date.

The institute also suffered the operational impact, like all computer and server files needed to be rebuilt from the ground up, before any data could be restored. It also said that the group that placed the info-stealer probably wasn’t the same one that installed Ryuk. The most likely scenario is, once access was established, that it got sold on the dark web to the highest bidder.

As a precautionary measure, Sophos advised organizations to install multi-factor authentication (MFA) for access to any internal networks, especially from third parties, keep software regularly updated, segment networks and restrict account privileges. It also urged customers to lock down RDP access with static Local Area Network (LAN) rules, via a group policy or using access control lists.