IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Selective ransomware Ryuk nets $4m from big businesses

Thought to be operating out of Russia, attackers demanded a 500 bitcoin ransom

Red padlock representing a security hack

A recently discovered form of ransomware that has been targeting businesses has reportedly made almost $4 million since its release in August 2018.

The ransomware, known as Ryuk, is operating unusually for an attack of its kind. It's common to see ransomware attack any system that will allow it to, but Ryuk is selectively infecting businesses with the deepest of pockets.

The ransomware payload would make its way onto a system after it was initially infected with another type of malware called TrickBot. After TrickBot infected a device, it would then see if it had infected a computer belonging to a small or large-sized business and would only install the ransomware on the computer belonging to a company with more to lose.

The ransomware would typically infect systems up to months before the ransomware was installed which allowed the attackers to perform network reconnaissance.

The reconnaissance stage is crucial and allows attackers to spend time in a system, identifying vulnerabilities and then plan a coordinated attack to unleash maximum damage.

Ryuk "shows a slightly more subtle and sophisticated approach to using ransomware as a technique for revenue generation for state actors and professional crime outfits," said Paul McKay, senior analyst at Forrester. "Previous ransomwares have tended to deploy payload very quickly and obviously, while this shows a level of sophistication not very often seen. It is interesting to note the selectiveness of targets, showing that reconnaissance to identify the assets that will cause the most damage to a business and thus increase the likelihood of the victim having to pay up."

It's not the first ransomware to employ these tactics though. Other attacks such as SamSam used similar methods to achieve their goal, dating back to 2015.

"Throughout 2018, FireEye observed an increasing number of cases where ransomware was deployed after the attackers gained access to the victim organization through other methods, allowing them to traverse the network to identify critical systems and inflict maximum damage, FireEye said in a blog post.

"SamSam operations, which date back to late 2015, were arguably the first to popularize this methodology... FireEye Intelligence expects that these operations will continue to gain traction throughout 2019 due to the success these intrusion operators have had in extorting large sums from victim organizations."

Crowdstrike, a cybersecurity company, branded this attack as "big game hunting" as it was able to coerce just over $3.7 million out of businesses in 52 transactions since August, with the payments being made in Bitcoin.

Ryuk is the same attack responsible for halting the printing of Tribune Publishing's newspapers, including the LA Times and the Wall Street Journal earlier this month.

For an attack, this damaging, questions are going to be asked about who is behind it, and there are some different theories about who that may be.

Because Ryuk's code bears some resemblance to that of Hermes, a North Korean-linked ransomware campaign, McAfee said that many have pointed fingers at North Korea for Ryuk too, although it's unlikely that the state is actually behind it.

The more prevalent theory, the one that McAfee puts forth, is that the attackers are probably residing in Russia.

"The most likely hypothesis in the Ryuk case is that of a cybercrime operation developed from a tool kit offered by a Russian-speaking actor," said McAfee in a blog post authored by the head of cyber investigations Jon Fokker and senior analyst Ryan Sherstobitoff.

"From the evidence, we see sample similarities over the past several months that indicate a tool kit is being used. The actors have targeted several sectors and have asked a high ransom, 500 Bitcoin. Who is responsible? We do not know. But we do know how the malware works, how the attackers operate, and how to detect the threat."

CrowdStrike corroborates this idea, noting its threat detection software "has medium-high confidence that the threat actors are operating out of Russia". 

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download

Recommended

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
US government warns of increased risk of ransomware over holiday season
ransomware

US government warns of increased risk of ransomware over holiday season

24 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
Delivery firm Yodel disrupted by cyber attack
cyber attacks

Delivery firm Yodel disrupted by cyber attack

21 Jun 2022
Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022