Ryuk ransomware attack caused by student pirating software

A software crack came with an info-stealer.

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Security firm Sophos has revealed how using pirated software was the cause of a majorransomwareattack that cost a major scientific organization a week’s work and a lot of money.

A student working at a European biomolecular research institute was allowed to use expensive data visualization software. However, he wanted a version of that software for his own device, but the license was most likely too expensive - so as a workaround, tried to install a cracked copy he found online.

The crack triggered a malware warning fromMicrosoft Defender, which he not only ignored, but decided to disable theantivirustool, as well as thefirewall, instead. Fast-forward a few weeks later, and the incident response team from Sophos learned that the crack was actually info-stealing malware.

The info-stealer was in use by a malicious third-party for a few days, doing what it does best - gathering keystrokes, stealing browser cookies, clipboard data and such. Somewhere along the way, Sophos explained, it found the student’s access credentials for the institute’s network.

Once enough data was gathered, Ryuk ransomware was deployed. It encrypted all of the data it found on the network, and most likely demanded payment in cryptocurrency.

Old backup

Old backup

While Sophos did not go into details how much money the operators asked for, or whether or not the institute paid the ransom, it did say that the organization lost a week’s worth of data, given that its backup wasn’t up to date.

The institute also suffered operational impact, as all computer and server files needed to be rebuilt from the ground up, before any data could be restored.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“Perhaps the hardest lesson of all,” Sophos says, “was discovering that the attack and its impact could have been avoided with a less trusting and more robust approach to network access.”

It also said that the same group that placed the info-stealer probably wasn’t the same one that installed Ryuk. The most likely scenario is, once access was established, that it got sold on the dark web to the highest bidder.

Pirating software is not only illegal, but also dangerous, Sophos concluded.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics