Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
According to Google, Ryuk is ‘a fictional character in the manga series Death Note’. I have no idea what this is, but I imagine it’s significantly less interesting than the Ryuk ransomware campaign that’s currently hitting businesses right across the world.
The UK’s NSCS is investigating such campaigns and has recently published an advisory on it, and we’re no strangers to Ryuk at Bulletproof either. I should clarify that’s because we’ve conducted several forensics investigations and our managed SIEM service blocks ransomware attacks like Ryuk for a variety of customers, not because we keep installing it ourselves. Not even Chaz the intern is that incompetent.
What is Ryuk? How does it work its way into environments? What has the impact been thus far? How can you defend against it? Well, I’m glad you asked...
Ryuk is a strain of ransomware, a piece of malware that encrypts files and demands a monetary sum, usually in the form of Bitcoin, for their restoration. It evolved from a strain of malware called Hermes, which was allegedly used by North Korea in a nation state campaign. Ryuk itself was allegedly (again) mainly used by the hacking group GRIM SPIDER, proving once and for all that hacking groups are terrible at names. This uninviting arachnid would target large organisations and attempt to extort sizable sums from them in the form of Bitcoin.
The prevalence of ransomware became such that as early as 2017, it was common to find companies stockpiling bitcoin for fear of being targets themselves. Hoarding currency in preparation to give in to the demands of hackers is not the sort of security strategy we recommend. The Ryuk strain first made itself known in August 2018 and, over the course of two months, managed to extort over £500,000 in ransom. That is quite a good haul for two months’ work, so it’s no wonder it’s still alive today.
Ryuk also has the interesting ability to delete shadow copies (back up ‘snapshots’) and disable Windows System Restore, taking backups out of the equation. Unless, of course, you backup to secure offline storage.
Ryuk often slinks into environments as a hidden bonus to the Emotet or Trickbot banking trojans. Emotet is a veteran in the malware community being first detected as far back as 2014, which is positively ancient by technology standards. Whilst originally designed to steal sensitive information, it increasingly became used as a dropper to sneak in other malware, like a digital smuggler.
Of course, we must never forget the classic phishing email. As we’ve stated more than once, the easiest way to slip unnoticed into your environment is to just ask a member of staff to let us in. They’re often far more willing than you’d suspect. A well-crafted email with a dodgy link or a tainted attachment can undo all your security in an instant. Alternatively, a clever ‘your password is due to expire, please reset it,’ email could provide hackers with the means of logging into your environment to drop some ransomware themselves.
The most obvious sign that you have been affected by ransomware can be seen in a sudden inability to read any of your files. You may notice files that previously held the extension .docx, for example, suddenly change to .RYK. Another sign will be the helpful ‘RyukReadMe.txt’, which politely informs you that all your files are belong to them, along with the non-negotiable price to have them returned and a BTC wallet address. The worst thing about the file is it will often be littered with spelling and grammar issues.
Flippancy aside, if you’re doing some stringent monitoring, you will be able to spot some initial activity that suggests Emotet (or other dropper) activity, which can be acted upon before any real damage is done. Network traffic, IoCs and certain rules might indicate the presence of a dropper.
Bulletproof conducted a forensics investigation on behalf of a customer who had been hit by a ransomware attack. After analysing their log files, we put together a timeline that showed a clear string of interlinked events, a chain of causation if you will, that told us the story of how they had been compromised.
Our forensics timeline showed that a dropper landed on the customer’s environment a full two days before it was executed. The catalyst for this disaster seemed to be a curious user accessing the dropped file. Minutes later, the machine had been totally encrypted with military-grade encryption.
From the customer’s point of view, they’re now clear on where they went wrong. But this wasn’t enough for us. Our research division, Bulletproof SpecialOps®, is constantly looking for new ways to make sure our managed threat protection can safeguard against all attacks. They saw it as an opportunity to test managed SIEM (our 24/7 threat protection tool).
So, in the interest of science, we fired up a test environment that was configured to be almost identical to the customer’s original environment and re-created the attack timeline. This time, we had managed SIEM running. We slipped in the dropper via a phishing email, as per the original attack, and straight away saw alerts for a suspicious email. This told us that we could’ve stopped the attack dead in its tracks at stage one, before it had even got going. However, we ignored this and let things run their course in this test environment.
Next, we saw the dropper land, which also triggered alerts in our research team’s dashboards. Finally, we executed Ryuk, which promptly began eating through the filesystem. Again, this triggered more alerts. The conclusion? managed SIEM would have allowed us to isolate and block this ransomware infection at every stage of the kill chain.
If I had a pound for every time I mentioned the cyber kill chain, I’d have roughly £98.50 (I was once interrupted halfway through saying it). The cyber kill chain is important, and basically outlines the approach hackers take when compromising a business. It consists of seven stages: Reconnaissance, weaponisation, payload, exploitation, installation, command and control, and finally, action.
In the context of Ryuk, GRIM SPIDER would start by conducting some recon. They’d research their target, probe their environment for weaknesses, find out what they can about staff and suppliers (for phishing purposes) etc. Then they’d move onto weaponisation and put together their malware packages. The payload is where they drop the malware, whereas exploitation will be where they take advantage of some weakness found during reconnaissance. The rest is fairly self-explanatory.
In order to defend effectively against these sorts of attacks, you need to map your security strategy against the kill chain. This means being able to spot activity at each stage, from recon to action (although if you let it get that far, you’re talking more remediation than defence). The only real way to do this is to have some 24/7 managed SIEM monitoring – ideally with proactive threat hunting. Even something as elementary as daily log reviews could’ve helped here, thanks to the two-day dwell time between drop and infection.
However, avoiding the hard sell, constant monitoring really is the key to a robust cyber defence. In the case of our customer, had they been regularly checking their logs, they’d have been able to see the dropper landing on their environment. They’d have been able to isolate this and remove it and potentially even see how it got on there and patch up that weakness. If that weakness is a staff member, they can tut disapprovingly, and invest in security awareness training.
Threats can come at any time of the day and from anywhere in the world. Recon activity is largely automated, easily available to hackers and is happening continuously. Therefore, a decent monitoring service will be able to discriminate the serious stuff from the lazy botnet herders. That requires dedicated and experienced analysts armed with the latest threat intelligence. Ultimately, running this in-house is out-of-reach for many organisations. Outsourcing on the other hand, and I hope you don’t mind if I humbly suggest Bulletproof here, is a best-of-both-worlds approach.
Joseph is a Communications Executive and Security Blogger who has contributed articles covering a range of topics including staying ahead of cyber threats.
Find out how to secure your business in 10 steps with our free best practice infographic.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.