Skip to main content

Ryuk Ransomware Goes After the Big Fish

by Dennis Fisher on Thursday August 23, 2018

Contact Us
Free Demo

Over the last two weeks attackers have been using the Ryuk ransomware to carry out tailored attacks against large organizations.

Security researchers have been tracking an interesting ransomware campaign in recent weeks that has ties to previous operations run by a North Korean attack group and already has generated some ransom payments of more than $200,000.

The ransomware being used is known as Ryuk and the attackers behind the campaign are using it in a series of targeted attacks against a variety of different large organizations. The Ryuk source code has a number of striking similarities to the code of the Hermes ransomware, which has been used in some high-profile attacks, including one on the Far Eastern International Bank last year. Researchers at Check Point who analyzed the Ryuk code and its use in recent attacks said that whoever developed Ryuk either also developed Hermes or had access to its source code.

The Hermes ransomware has been linked to an attack team based in North Korea known as the Lazarus group. That team has conducted a number of large targeted attacks and is thought to be responsible for the infiltration of Sony Pictures four years ago. Ryuk is being used in a similar fashion and the attackers behind it have made some serious money already.

“Unlike the common ransomware, systematically distributed via massive spam campaigns and exploit kits, Ryuk is used exclusively for tailored attacks. In fact, its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers,” Check Point’s researchers wrote in a detailed analysis of the Ryuk ransomware campaign.

Blog Post

Ransomware Protection & Removal: How Businesses Can Best Defend Against Ransomware Attacks

“This, of course, means extensive network mapping, hacking and credential collection is required and takes place prior to each operation. Its alleged attribution to Lazarus Group, discussed later in this post, may imply that the attackers are already well experienced in the targeted attacks domain, as seen by attacks such as the breach of Sony Pictures in 2014.”

Like many other ransomware campaigns, the Ryuk campaign includes demands for payment in Bitcoin. But unlike many attackers, the Ryuk operators are swinging for the fences with their demands. Check Point’s researchers discovered one victim has paid a ransom of $320,000 and another paid $224,000. The attackers are collecting payments in a number of different wallets, using unique wallets for nearly every victim. Once a victim makes a payment, the Bitcoin are then divided and distributed among a number of other wallets.

“After a ransom payment was made to a preassigned wallet, some 25% of the funds (a round amount such as 10 or 12.5 BTC) are transferred to a new wallet. These funds can still be found at that same new wallet that was created for them. We can assume that these wallets will later be cashed out,” the Check Point analysts said.

“The remaining amount, indeed the majority of the original amount, is also transferred to a new wallet; however, the remaining funds are split and relocated again – some 25% of it is transferred to a new wallet in which it would remain, with the other funds split again, and so on.”

The team behind the campaign appears to be targeting large organizations specifically, looking for victims that have the resources to pay the hefty ransoms. It’s a strategy that other ransomware groups have used in the past, a more efficient use of their resources than going after thousands of individual consumers with much smaller ransom demands.

“Both the nature of the attack and the malware’s own inner workings tie Ryuk to the HERMES ransomware and arouse curiosity regarding the identity of the group behind it and its connection to the Lazarus Group. After succeeding with infecting and getting paid some $640,000, we believe that this is not the end of this campaign and that additional organizations are likely to fall victim to Ryuk,” Check Point’s researchers said.

Tags:  Ransomware

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.