Selective ransomware Ryuk nets $4m from big businesses

Thought to be operating out of Russia, attackers demanded a 500 bitcoin ransom

14 Jan 2019

A recently discovered form of ransomware that has been targeting businesses has reportedly made almost $4 million since its release in August 2018.

The ransomware, known as Ryuk, is operating unusually for an attack of its kind. It's common to see ransomware attack any system that will allow it to, but Ryuk is selectively infecting businesses with the deepest of pockets.

The ransomware payload would make its way onto a system after it was initially infected with another type of malware called TrickBot. After TrickBot infected a device, it would then see if it had infected a computer belonging to a small or large-sized business and would only install the ransomware on the computer belonging to a company with more to lose.

The ransomware would typically infect systems up to months before the ransomware was installed which allowed the attackers to perform network reconnaissance.

The reconnaissance stage is crucial and allows attackers to spend time in a system, identifying vulnerabilities and then plan a coordinated attack to unleash maximum damage.

Ryuk "shows a slightly more subtle and sophisticated approach to using ransomware as a technique for revenue generation for state actors and professional crime outfits," said Paul McKay, senior analyst at Forrester. "Previous ransomwares have tended to deploy payload very quickly and obviously, while this shows a level of sophistication not very often seen. It is interesting to note the selectiveness of targets, showing that reconnaissance to identify the assets that will cause the most damage to a business and thus increase the likelihood of the victim having to pay up."

It's not the first ransomware to employ these tactics though. Other attacks such as SamSam used similar methods to achieve their goal, dating back to 2015.

"Throughout 2018, FireEye observed an increasing number of cases where ransomware was deployed after the attackers gained access to the victim organization through other methods, allowing them to traverse the network to identify critical systems and inflict maximum damage, FireEye said in a blog post.

"SamSam operations, which date back to late 2015, were arguably the first to popularize this methodology... FireEye Intelligence expects that these operations will continue to gain traction throughout 2019 due to the success these intrusion operators have had in extorting large sums from victim organizations."

Crowdstrike, a cybersecurity company, branded this attack as "big game hunting" as it was able to coerce just over $3.7 million out of businesses in 52 transactions since August, with the payments being made in Bitcoin.

Ryuk is the same attack responsible for halting the printing of Tribune Publishing's newspapers, including the LA Times and the Wall Street Journal earlier this month.

For an attack, this damaging, questions are going to be asked about who is behind it, and there are some different theories about who that may be.

Because Ryuk's code bears some resemblance to that of Hermes, a North Korean-linked ransomware campaign, McAfee said that many have pointed fingers at North Korea for Ryuk too, although it's unlikely that the state is actually behind it.

The more prevalent theory, the one that McAfee puts forth, is that the attackers are probably residing in Russia.

"The most likely hypothesis in the Ryuk case is that of a cybercrime operation developed from a tool kit offered by a Russian-speaking actor," said McAfee in a blog post authored by the head of cyber investigations Jon Fokker and senior analyst Ryan Sherstobitoff.

"From the evidence, we see sample similarities over the past several months that indicate a tool kit is being used. The actors have targeted several sectors and have asked a high ransom, 500 Bitcoin. Who is responsible? We do not know. But we do know how the malware works, how the attackers operate, and how to detect the threat."

CrowdStrike corroborates this idea, noting its threat detection software "has medium-high confidence that the threat actors are operating out of Russia".