The Ryuk ransomware operators have raked in more than $150 million from their attacks, researchers at Advanced Intelligence and HYAS have found. The researchers describe how these operators are able to demand such large ransoms and then successfully launder the money into fiat money.

“Our research involved tracing payments involving 61 deposit addresses attributed to Ryuk ransomware,” they write. “The Ryuk criminals send a majority of their Bitcoin to exchanges through an intermediary to cash out. The two primary (known) exchanges are Huobi and Binance, both of which are located in Asia. Huobi and Binance are interesting choices because they claim to comply with international financial laws and are willing to participate in legal requests but are also structured in a way that probably wouldn’t obligate them to comply.”

The researchers also note that, unlike some other, more lenient, ransomware operators, the Ryuk gang is merciless when its victims are unable to pay. This group is also known for intentionally targeting hospitals.

“With the limited visibility available to analysts, it is painfully clear that the criminals behind Ryuk are very business-like and have zero sympathy for the status, purpose, or ability of the victims to pay,” the researchers say. “Sometimes the victims will attempt to negotiate with Ryuk and their significant offers are denied with a one-word response. Ryuk did not respond or acknowledge one organization that claimed to be involved in poverty relief and lacked the means to pay.”

The researchers conclude that technical defenses are often insufficient to thwart a ransomware attack once the attackers have gained a foothold within a network.

“Something that becomes glaringly apparent in analyzing ransomware incidents is that the current industry and government-accepted approaches and frameworks for dealing with malware problems aren’t effective,” the researchers write. “Enterprises that suffer from ransomware aren’t infected because they lack up to date antivirus software or because they chose the blue vendor instead of the red vendor. They’re encountering ransomware because they haven’t considered developing countermeasures that will prevent the initial foothold that is obtained by precursor malware like Emotet, Zloader, and Qakbot (to name a few).”

The researchers recommend that organizations restrict the execution of Microsoft Office macros, secure all remote access points with two-factor authentication, and lock down Citrix and Remote Desktop Protocol tools. Most ransomware attacks are a result of unsecured remote access tools or an employee being tricked into enabling macros in an Office document. New-school security awareness training can enable your employees to follow security best practices and thwart social engineering attacks.