Ryuk ransomware squeezes $640,000 from corporate victims in weeks

Attackers using ransomware known as Ryuk have hit several large enterprise organizations in the past weeks and extorted over $640,000 in Bitcoin, according to researchers at Checkpoint. 

The company issued an alert today for organizations to beware of Ryuk, which has encrypted data on hundreds of PCs and data centres in affected companies, and extracted payments of between 15 BTC to 50 BTC, the latter amount converting to around US$320,000. 

The malware shared enough similarities with another ransomware known as Hermes, that led Checkpoint to conclude it may have been created by Lazarus Group, the North Korean hackers that used Hermes in an attack on Far Eastern International Bank (FEIB) in Taiwan last year, netting the attackers a reported $60 million. 

Other major attacks that have been widely attributed to the Lazarus Group include Sony Pictures in 2014 and last year's huge WannaCry ransomware outbreak. 

Researchers at McAfee labelled Hermes “pseudo ransomware”, since it appeared to be used to cover the attackers real goal of theft. 

Hermes however was earlier this year Hermes delivered via less discriminating malicious ads and an exploit kit that hit South Korean PCs and was, as Malwarebytes described, “fully functional ransomware” rather than a distraction.  

Unlike ransomware used in mass campaigns over the past three years, Ryuk is used exclusively for highly targeted attacks and follows a spate of targeted attacks on local governments in the US using the BitPaymer ransomware combined with a credential-stealing trojan, Emotet. 

Ryuk’s encryption scheme was also purpose-built for small-scale attacks that only target high value assets within a target, according to Checkpoint, but unlike Hermes it’s sole purpose appears to be a data extortion tool.    

The company was baffled however by Ryuk delivering two different ransom notes to victims. One is written in well-phrased and “pleasant” English, and was sent to victims that paid up to 50 BTC, while the other was more concise and has only been observed in payments made between 15 to 35 BTC. 

“Gentlemen!,” reads the pleasant note. “Your business is at serious risk. There is a significant hole in the security system of your company. We’ve easily penetrated your network. You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks. Now your files are cryptic with that strongest military algorithms RSA4096 and AES-256. No one can help you to restore files without special decoder.” 

“Your network has been penetrated,” a portion of the concise note reads. “All files on each in the network have been encrypted with a strong algorithm. Backups are were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.” 

Ryuk’s operators were also very efficient at moving and splitting up the loot from companies that paid up. Each attack provided a unique wallet to receive the funds, which were quickly dispersed to multiple accounts and making it difficult to trace the attack. 

“After a ransom payment was made to a preassigned wallet, some 25% of the funds (a round amount such as 10 or 12.5 BTC) are transferred to a new wallet,” Checkpoint researchers observed. 

“These funds can still be found at that same new wallet that was created for them. We can assume that these wallets will later be cashed out. The remaining amount, indeed the majority of the original amount, is also transferred to a new wallet; however, the remaining funds are split and relocated again – some 25% of it is transferred to a new wallet in which it would remain, with the other funds split again, and so on

Tags north koreaCheckpointhermesLazarus

Show Comments