Skip to main content

Ryuk ransomware attack caused by student pirating software

ID theft
(Image credit: Future)

Security firm Sophos has revealed how using pirated software was the cause of a major ransomware attack that cost a major scientific organization a week’s work and a lot of money.

A student working at a European biomolecular research institute was allowed to use expensive data visualization software. However, he wanted a version of that software for his own device, but the license was most likely too expensive - so as a workaround, tried to install a cracked copy he found online. 

The crack triggered a malware warning from Microsoft Defender, which he not only ignored, but decided to disable the antivirus tool, as well as the firewall, instead. Fast-forward a few weeks later, and the incident response team from Sophos learned that the crack was actually info-stealing malware.

The info-stealer was in use by a malicious third-party for a few days, doing what it does best - gathering keystrokes, stealing browser cookies, clipboard data and such. Somewhere along the way, Sophos explained, it found the student’s access credentials for the institute’s network.

Once enough data was gathered, Ryuk ransomware was deployed. It encrypted all of the data it found on the network, and most likely demanded payment in cryptocurrency.

Old backup

While Sophos did not go into details how much money the operators asked for, or whether or not the institute paid the ransom, it did say that the organization lost a week’s worth of data, given that its backup wasn’t up to date.

The institute also suffered operational impact, as all computer and server files needed to be rebuilt from the ground up, before any data could be restored. 

“Perhaps the hardest lesson of all,” Sophos says, “was discovering that the attack and its impact could have been avoided with a less trusting and more robust approach to network access.”

It also said that the same group that placed the info-stealer probably wasn’t the same one that installed Ryuk. The most likely scenario is, once access was established, that it got sold on the dark web to the highest bidder.

Pirating software is not only illegal, but also dangerous, Sophos concluded.