This article is written by Divyashree K S. This article has been edited by Ojuswi (Associate, Lawsikho). 

This article has been published by Sneha Mahawar.

Introduction

Ransomware attacks most hit India in 2021. During covid times many hospitals have been victims of Ruyk ransomware attacks through trojan or phishing emails. The black hat hackers use malware to hack and attack the system. Ryuk ransomware is a kind of malware hack where the hacker extorts victims for data that is hacked in exchange for cryptocurrency. This is a new type of attack that has evolved since the birth of cryptocurrency. Since cryptocurrency is not regulated and is an anonymous payment gateway hackers are exploiting it. Crypto transactions are irreversible and immutable therefore they cannot be refunded back. In the growing age of technology and cryptocurrency, there are high chances of people getting hacked by such malware. This paper aims to understand the Ryuk attack and the laws related to it.

Download Now

What is Ryuk

Ryuk is a ransomware that encrypts the data of the victim and demands that money is paid to unlock the keys for encryption. Instructions to pay the price for receiving the decryption key are presented to users. The charges range from several hundred to thousands of dollars, payable in bitcoin to hackers.

Users have three major options once an invasion has been launched: 

  • attempt to restore their data from a backup 
  • pay the ransom 
  • give over their information to the attackers

Ransomware attack and its process

The assault begins with a phishing email or a drive-by download launched by visiting a website or clicking on a popup. Threat actors employ a dropper and a Trojan or bot to obtain permanent network access. They use traditional Advanced Persistent Threat (APT) operators’ tactics to move about the infiltrated network, such as targeting vulnerable workstations, installing keyloggers, and collecting passwords. They go in search of information to steal, then gather and exfiltrate it, progressively increasing their footprint. They also installed Ryuk on any system to which they have access. They encrypt the afflicted computers with Ryuk and then demand a ransom from their victims once they’ve accessed and exfiltrated all they can. Victims of the Ryuk attack have paid hundreds of thousands of dollars to regain access to their data. Regrettably, the blow that happens before Ryuk’s activation is the one that does the greatest damage. If companies knew how much data had already been stolen, they would be less likely to pay the ransom. Ryuk’s roots are already present in the networks of many public and private organisations. The discovery of this continuous access might be the only thing that rescues an already-under-attack company. Early detection and recovery can help to avoid exfiltration and the installation and activation of Ryuk, thereby removing the ransomware element. The key to detecting this persistence is knowing what to look for. The presence of any threats indicates that your network is under attack, and a Ryuk ransom will almost definitely be expected. The good news is that Core Network Insight detects Ryuk attack precursors early on, allowing you to clean up your endpoints and prevent threat actors from looting your data and installing Ryuk.

Stages of a ransomware attack 

Ransomware attacks use several methods to infiltrate systems. Instead of getting instructions from the host machine, ransomware is programmed to infiltrate the system invisibly. The primary stages of a ransomware assault have been divided into distinct segments, including:

Campaign and distribution 

This is the step in which ransomware tries to trick victims into downloading and running attachments by employing social engineering or by forcing them to visit infected websites, which leads to an attack.

Infection and staging process 

In this stage, the file itself initialises the system installation. However, the executable files set crucial functionalities to be effective after system reboot and file recuperation in the windows registry. The ransomware also connects to a random server or C2 server from TOR or a Dark network, which is extremely beneficial in delivering the information about an infected system back. Last but not the least, these files attempt to remove the shadow copy files from the windows systems.

Scanning and searching for content

In this step, ransomware is installed already and it begins to search local and network files and documents. But many ransomware operations give priority to shares of the network over local drives. The ransomware programmes leave some types of notes in the files and folders throughout the scanning process. In addition, it looks for documents and shared files in both mapped and unmapped network accessible systems throughout networked regions.

Encryption process

In ransomware, all the files identified during the scan phase are encrypted by encryption techniques. This stage is regarded as one of the hardest elements. In the first phases, ransomware files search for the proxy server, and in some circumstances, the ransomware encrypts extensions and file contents. However, it instantly removes copies of the original files. To obtain additional information from the hackers and return encryption keys to the damaged files, ransomware starts creating new links in C2. The connection may also be used to give instructions to the victim and how to retrieve their encrypted data again. The links are also available for certain additional uses.

Payday 

Following infection of the targeted system and encryption of data, hackers then demand victims pay ransom in a certain timeframe to retrieve their data. In most assaults, victims are normally instructed to pay the ransom by providing links or locking the displays to receive their decryption keys. The digital currency used to pay the ransom is called BITCOINS, which costs around USD 150 for each bitcoin.

Precaution against a ransomware attack 

Employee awareness training

Cyber threat actors utilise emails as bait mostly when trying to attack an organisation, and people are the weakest link. To avoid and solve this problem, companies must inform their workers of the cyber dangers they face.

Backup your data separately

The ideal approach to remain proactive is through the backup of your data in a separate external storage unit but not through a connection to your computer. Saving your data will assist to ensure that cybercriminals do not encrypt and abuse it. Cloud storage with high-level encryption and multi-factor authentication is our recommendation.

Regular vulnerability assessment

Basic hygiene of cyber security may help avoid malicious applications like ransomware such as vulnerability evaluation and penetration testing. The exploitable vulnerabilities may be identified and fixed before any dangerous actor finds them by using continuous vulnerability assessment.

Never click on unverified links 

Avoid clicking on links in spam emails or on a website not known to others. These URLs carry harmful files, which are infected by a click on the user’s machine. In addition, these connections provide rankings for the user to view and cypher or lock private ranking data.

Use of USB or external hard drive

It is intended to buy USBs or an external hard disc to keep fresh or updated files; simply ensure that the devices are disconnected from your computer once the computer is backed up and that they can otherwise be infected.

Related laws in India to govern ransomware attack

India is a blank slate for cybercriminals. There is no national cyber security legislation that outlines the various parties’ obligations and responsibilities. In today’s world, when cybercrime is on the rise, a broad-based convention addressing substantive criminal law, criminal procedural issues, and international criminal law procedures and agreements is critical. The IT Act of 2000 would be crippled if sufficient means and techniques of implementation aren’t available.

Constitutional law 

The ransomware attack breaches personal liberty rights guaranteed by the Indian Constitution. It is a breach of our Fundamental Right to Privacy, which is guaranteed by Article 21 of the Indian Constitution.

IT Act 2000

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, safeguard personal information.  Before these Rules, in India, tort law offered remedies for invasions of privacy, and the Supreme Court of India accorded the right to privacy only minimal constitutional protection (under Article 21). Because ransomware is not covered under the Information Technology Act.

Indian Penal Code

Sections 463, 465, and 468 of the IPC, which deal with forgery and “forgery to defraud,” may also apply in a case of identity theft.

Conclusion

In the Indian context, no direct law exists to deal with the Ryuk attack or similar ransomware attacks. However, as discussed in the article, certain constitutional and penal provisions can form a basis of backdoor entry of laws pertaining to such and similar cybercrime.

References 

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

https://t.me/lawyerscommunity

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here