Ryuk ransomware, has been targeting hospital and healthcare providers over the last year, The path of infection for most ransomware is using phishing, followed by targeting servers with vulnerabilities. But a new case shows how a Ryuk infection came about by a single person attempting to pirate software.

Ryuk infection involved a European biomedical research institute involved in COVID-19 related research along with other activities in life sciences. Attack costed institute a week’s worth of vital research data because although it had backups, they were not fully up to date. Sophos was called in to contain and neutralize the attack, as well as working out where it had come from using logs and historical data to prevent future attacks.

Analyzing the data, it narrowed down the point of initial access: an external university student who wanted a personal copy of a data visualization software tool already being used for work but didn’t want to pay for it.

An apparent cracked copy of the software, the student downloaded it and tried to install it, but the file was pure malware. Windows Defender immediately triggered a security alarm, but the student disabled it and a firewall and tried again.

Instead of a cracked copy of the data visualization software tool, it was a malicious info-stealer that began logging keystrokes, stealing browser cookies and more, eventually finding the student’s access credentials for the institute’s network.

Thirteen days later a remote desktop connection was registered on the institute’s network using the student’s credentials. Ten days later this connection installed the Ryuk ransomware.

The underground market for previously compromised networks offering attackers easy initial access is thriving, the malware operators sold their access on to another attacker. The RDP connection could have been the access brokers testing their access.

The internet-exposed RDP sessions are commonly exploited to infect end-user devices. Such sessions are intended to remotely log in to Windows computers and allow the user to securely control the device.