Ryuk Compromises Bio Research Institute's Network Via Student's Cracked Software

Ryuk Compromises Bio Research Institute’s Network Via Student’s Cracked Software

A student unwittingly became an entry point for a ransomware malware that cost a biomolecular institute a weeks’ worth of vital research. The student didn’t want to pay for a software license and downloaded a cracked version of a program that was infected with malware.

Sophos cybersecurity company described a client’s case in which the team was to remediate an active cyberattack at a European biomolecular facility involved in the life sciences and research related to COVID-19. The name of the biomolecular institute has not been disclosed.

Sophos determined that it was Ryuk ransomware that had infiltrated the facility’s network through a student. 

The student wanted to install a data visualization software tool. But since a license would cost them hundreds of dollars per year, the student eventually chose to install a cracked version instead. To install the cracked software the student had to turn off Windows Defender and the firewall. Malware contained a Trojan. Because the institute allowed students to use their personal devices to access its network via remote Citrix sessions, the Trojan eventually harvested the student’s credentials for accessing the biomolecular institute’s network. 

Thirteen days later, an apparent attacker established a remote desktop protocol (RDP) connection using the student’s credentials and the name “Totoro,” an anime character. 

“A feature of RDP is that a connection also triggers the automatic installation of a printer driver, enabling users to print documents remotely,” Sophos says. “This allowed the Rapid Response investigation team to see that the registered RDP connection involved a Russian language printer driver and was likely to be a rogue connection.”

Sophos team believes that credentials for the institute’s network were sold in an underground market, and later the buyer made that RDP connection probably to test access. 

Ten days after the connection, Ryuk was deployed on the network and encrypted the institute’s network. This costed a week of research data as not all data had been backed up.

Before the institute could resume normal work, system and server files had to be “rebuilt from the ground up,” the researchers added. 

“This is a cautionary tale of how an end user’s security misjudgement can leave an organization exposed to attack when there are no solid security policies in place to contain the mistake,” commented Peter Mackenzie, manager of Rapid Response at Sophos.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.