Selective ransomware Ryuk nets $4m from big businesses

Thought to be operating out of Russia, attackers demanded a 500 bitcoin ransom

hacking and ransomware

A recently discovered form of ransomware that has been targeting businesses has reportedly made almost $4 million since its release in August 2018.

The ransomware, known as Ryuk, is operating unusually for an attack of its kind. It's common to see ransomware attack any system that will allow it to, but Ryuk is selectively infecting businesses with the deepest of pockets.

The ransomware payload would make its way onto a system after it was initially infected with another type of malware called TrickBot. After TrickBot infected a device, it would then see if it had infected a computer belonging to a small or large-sized business and would only install the ransomware on the computer belonging to a company with more to lose.

The ransomware would typically infect systems up to months before the ransomware was installed which allowed the attackers to perform network reconnaissance.

The reconnaissance stage is crucial and allows attackers to spend time in a system, identifying vulnerabilities and then plan a coordinated attack to unleash maximum damage.

Ryuk "shows a slightly more subtle and sophisticated approach to using ransomware as a technique for revenue generation for state actors and professional crime outfits," said Paul McKay, senior analyst at Forrester. "Previous ransomwares have tended to deploy payload very quickly and obviously, while this shows a level of sophistication not very often seen. It is interesting to note the selectiveness of targets, showing that reconnaissance to identify the assets that will cause the most damage to a business and thus increase the likelihood of the victim having to pay up."

It's not the first ransomware to employ these tactics though. Other attacks such as SamSam used similar methods to achieve their goal, dating back to 2015.

"Throughout 2018, FireEye observed an increasing number of cases where ransomware was deployed after the attackers gained access to the victim organization through other methods, allowing them to traverse the network to identify critical systems and inflict maximum damage, FireEye said in a blog post.

"SamSam operations, which date back to late 2015, were arguably the first to popularize this methodology... FireEye Intelligence expects that these operations will continue to gain traction throughout 2019 due to the success these intrusion operators have had in extorting large sums from victim organizations."

Crowdstrike, a cybersecurity company, branded this attack as "big game hunting" as it was able to coerce just over $3.7 million out of businesses in 52 transactions since August, with the payments being made in Bitcoin.

Ryuk is the same attack responsible for halting the printing of Tribune Publishing's newspapers, including the LA Times and the Wall Street Journal earlier this month.

For an attack, this damaging, questions are going to be asked about who is behind it, and there are some different theories about who that may be.

Because Ryuk's code bears some resemblance to that of Hermes, a North Korean-linked ransomware campaign, McAfee said that many have pointed fingers at North Korea for Ryuk too, although it's unlikely that the state is actually behind it.

The more prevalent theory, the one that McAfee puts forth, is that the attackers are probably residing in Russia.

"The most likely hypothesis in the Ryuk case is that of a cybercrime operation developed from a tool kit offered by a Russian-speaking actor," said McAfee in a blog post authored by the head of cyber investigations Jon Fokker and senior analyst Ryan Sherstobitoff.

"From the evidence, we see sample similarities over the past several months that indicate a tool kit is being used. The actors have targeted several sectors and have asked a high ransom, 500 Bitcoin. Who is responsible? We do not know. But we do know how the malware works, how the attackers operate, and how to detect the threat."

CrowdStrike corroborates this idea, noting its threat detection software "has medium-high confidence that the threat actors are operating out of Russia". 

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

Hackers used SonicWall zero-day flaw to plant ransomware
ransomware

Hackers used SonicWall zero-day flaw to plant ransomware

30 Apr 2021
How can you protect your business from crypto-ransomware?
Security

How can you protect your business from crypto-ransomware?

20 Apr 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

9 Apr 2021
TsuNAME vulnerability could enable DDoS attacks on major DNS servers
distributed denial of service (DDOS)

TsuNAME vulnerability could enable DDoS attacks on major DNS servers

7 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Dell patches vulnerability affecting hundreds of computer models worldwide
cyber security

Dell patches vulnerability affecting hundreds of computer models worldwide

5 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021