UPDATED 21:04 EST / AUGUST 21 2018

INFRA

North Korean ransomware campaign demands 15 to 50 bitcoins from targeted companies

A recently discovered form of ransomware is being used in a highly targeted campaign that may have its roots in North Korea, according to security researchers at Check Point Software Technologies Ltd.

Called Ryuk, the ransomware was first detected in the wild in mid-August. In the days following, it infected several organizations in the U.S.

Reflecting typical ransomware, files on infected personal computers are encrypted, with the hackers demanding a payment in cryptocurrency, specifically between 15 and 50 bitcoin ($97,000 to $325,000).

Where Ryuk gets interesting is in the highly targeted nature of the attacks. “Unlike common ransomware, systematically distributed via massive spam campaigns and exploit kits, Ryuk is used exclusively for tailored attacks,” the security researchers explained. “In fact, its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers.”

Pointing the finger at North Korea, the researchers said that the Ryuk campaign and some of its inner workings use code employed by the HERMES ransomware. That’s malware commonly attributed to APT Lazarus Group, the state-sponsored North Korean hacking group that was last in the headlines for attempting to hack bitcoin accounts in February.

“This leads us to believe that the current wave of targeted attacks using Ryuk may either be the work of the HERMES operators, the allegedly North Korean group, or the work of an actor who has obtained the HERMES source code,” they added.

Bob Adams, a cybersecurity expert at Mimecast Services Ltd., told SiliconANGLE that “attackers have learned to leverage various psychological tactics in their phishing campaigns.”

Check Point didn’t specify an attack vector, but Adams believes the companies were targeted in an “invoice attack” where the malicious actors send a fake invoice to a company in an effort to gain access to the network. With Ryuk, those invoices are highly targeted to create the best opportunity to be opened.

“By preying on users, they rely on human error to expedite their attacks,” Adams said. “Organizations that implement a layered approach that focuses on both protecting and educating users will be far better protected than those that rely on their users to determine what’s good or bad. The cost of updating your security controls is far less than the cost of a breach.”

Photo: Bjørn Christian Tørrissen/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU