Ryuk ransomware demands massive Bitcoin ransom
A new piece of ransomware has reared its head, targeting several organisations worldwide with a highly sophisticated operation that researchers suspect is linked to the notorious North Korean APT group, Lazarus.
According to Check Point's research, for the last couple of weeks, Ryuk ransomware has encrypted hundreds of PCs, storage and data centres in the companies it has infected, and some of the victim organisations have already paid exceptionally large ransoms in order to retrieve their files.
The ransom varies from 15 to 50 BTC and has already netted the attackers more than $640 000.
Check Point says its research has led the company to connect the nature of Ryuk's campaign and some of its inner workings to the infamous HERMES ransomware, which has also been used in widespread targeted attacks and has been attributed to Lazarus.
Unlike most ransomware that is systematically distributed via massive spam campaigns and exploit kits, Ryuk is used solely for tailored attacks. "In fact, its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network, with its infection and distribution carried out manually by the attackers," says Check Point.
This means that extensive network mapping, hacking and credential collection has to take place before each operation.
The authors behind Ryuk are also tailoring their communications approach to their victims and were found to be using two different ransom notes. One is longer, 'well-worded and nicely phrased' and used for organisations that the attackers demanded the higher ransom from. The second note is 'shorter and blunter' and used for other organisations, where the ransom demand was less. "This could imply there may be two levels of offensive," the researchers said.
Following a technical comparison between Ryuk and HERMES, the researchers said: "This leads us to believe that the current wave of targeted attacks using Ryuk may either be the work of the HERMES operators, the allegedly North Korean group, or the work of an actor who has obtained the HERMES source code."
When inspecting Ryuk's code, the researchers found that its encryption logic resembles that found in the HERMES ransomware, and when comparing the function that encrypts a single file, they saw notable similarities in its structure. "In fact, it seems that the author of Ryuk did not even bother to change the marker in the encrypted files as the code used to generate, place and verify this marker in order to determine if a file was already encrypted are identical in both malwares."
Moreover, both pieces of malware whitelist similar folders, including 'Ahnlab', 'Microsoft', '$Recycle.Bin' and similar, to avoid file encryption of files stored in them.
In addition, both HERMES and Ryuk write a batch script named 'window.bat' in the same path, with a similar script used to delete shadow volumes and backup files, and, in both cases, there are files dropped to disk ('PUBLIC' and 'UNIQUE_ID_DO_NOT_REMOVE'), which resemble each other in name and purpose.
Both malwares were not widely distributed, and only used in targeted attacks, which makes it increasingly difficult to track the malware author's activities and revenues, said Checkpoint.
From the initial exploitation phase through to the encryption process and the ransom demand itself, the Ryuk campaign is organised and effective, and has been targeting enterprises that can afford to cough up a massive ransom to have their systems and files restored.
Based on the nature of the attack as well as its inner workings, its ties to HERMES and its connection to the Lazarus Group, Check Point researchers believe it isn't over yet.
"After succeeding with infecting and getting paid some $640 000, we believe that this is not the end of this campaign and that additional organisations are likely to fall victim to Ryuk," they concluded.