A recently discovered form of ransomware that has been targeting businesses has reportedly made almost $4 million since its release in August 2018.
The ransomware, known as Ryuk, is operating unusually for an attack of its kind. It's common to see ransomware attack any system that will allow it to, but Ryuk is selectively infecting businesses with the deepest of pockets.
The ransomware payload would make its way onto a system after it was initially infected with another type of malware called TrickBot. After TrickBot infected a device, it would then see if it had infected a computer belonging to a small or large-sized business and would only install the ransomware on the computer belonging to a company with more to lose.
The ransomware would typically infect systems up to months before the ransomware was installed which allowed the attackers to perform network reconnaissance.
The reconnaissance stage is crucial and allows attackers to spend time in a system, identifying vulnerabilities and then plan a coordinated attack to unleash maximum damage.
Ryuk "shows a slightly more subtle and sophisticated approach to using ransomware as a technique for revenue generation for state actors and professional crime outfits," said Paul McKay, senior analyst at Forrester. "Previous ransomwares have tended to deploy payload very quickly and obviously, while this shows a level of sophistication not very often seen. It is interesting to note the selectiveness of targets, showing that reconnaissance to identify the assets that will cause the most damage to a business and thus increase the likelihood of the victim having to pay up."
It's not the first ransomware to employ these tactics though. Other attacks such as SamSam used similar methods to achieve their goal, dating back to 2015.
"Throughout 2018, FireEye observed an increasing number of cases where ransomware was deployed after the attackers gained access to the victim organization through other methods, allowing them to traverse the network to identify critical systems and inflict maximum damage, FireEye said in a blog post.
"SamSam operations, which date back to late 2015, were arguably the first to popularize this methodology... FireEye Intelligence expects that these operations will continue to gain traction throughout 2019 due to the success these intrusion operators have had in extorting large sums from victim organizations."
Crowdstrike, a cybersecurity company, branded this attack as "big game hunting" as it was able to coerce just over $3.7 million out of businesses in 52 transactions since August, with the payments being made in Bitcoin.
Ryuk is the same attack responsible for halting the printing of Tribune Publishing's newspapers, including the LA Times and the Wall Street Journal earlier this month.
For an attack, this damaging, questions are going to be asked about who is behind it, and there are some different theories about who that may be.
Because Ryuk's code bears some resemblance to that of Hermes, a North Korean-linked ransomware campaign, McAfee said that many have pointed fingers at North Korea for Ryuk too, although it's unlikely that the state is actually behind it.
The more prevalent theory, the one that McAfee puts forth, is that the attackers are probably residing in Russia.
"The most likely hypothesis in the Ryuk case is that of a cybercrime operation developed from a tool kit offered by a Russian-speaking actor," said McAfee in a blog post authored by the head of cyber investigations Jon Fokker and senior analyst Ryan Sherstobitoff.
"From the evidence, we see sample similarities over the past several months that indicate a tool kit is being used. The actors have targeted several sectors and have asked a high ransom, 500 Bitcoin. Who is responsible? We do not know. But we do know how the malware works, how the attackers operate, and how to detect the threat."
CrowdStrike corroborates this idea, noting its threat detection software "has medium-high confidence that the threat actors are operating out of Russia".
-
What now for enterprise virtualization?With a trusted partner like Pure Storage, businesses can make the most of their virtualization journey
-
Nutanix wants to help customers shore up cloud sovereigntyNews New automation tools and infrastructure management capabilities look to tackle single-vendor dependency and shore up sovereignty requirements
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
The number of ransomware groups rockets as new, smaller players emergeNews The good news is that the number of victims remains steady
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
