HC3 TLP White Analyst Note: New Ryuk Ransomware Variant Poses Threat to HPH Sector

The French National Agency for the Security of Information Systems (ANSSI) has identified a new variant of the Ryuk ransomware that is capable of self-replicating using existing Windows processes. The malware, which previously targeted the U.S. Healthcare and Public Health (HPH) Sector in October 2020, uses a privileged domain account as an initial infection point. After this foothold is established, the new variant spreads through the network, copying a unique version of the ransomware executable to new devices. Unlike previous versions of Ryuk, this new variant lacks any exclusion mechanisms to prevent multiple simultaneous infections or reinfections from occurring. Mitigations for this new variant, while limited, are included in the full report here.