A recently discovered form of ransomware is being used in a highly targeted campaign that may have its roots in North Korea, according to security researchers at Check Point Software Technologies Ltd.

Called Ryuk, the ransomware was first detected in the wild in mid-August. In the days following, it infected several organizations in the U.S.

Reflecting typical ransomware, files on infected personal computers are encrypted, with the hackers demanding a payment in cryptocurrency, specifically between 15 and 50 bitcoin ($97,000 to $325,000).

Where Ryuk gets interesting is in the highly targeted nature of the attacks. “Unlike common ransomware, systematically distributed via massive spam campaigns and exploit kits, Ryuk is used exclusively for tailored attacks,” the security researchers explained. “In fact, its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers.”

Pointing the finger at North Korea, the researchers said that the Ryuk campaign and some of its inner workings use code employed by the HERMES ransomware. That’s malware commonly attributed to APT Lazarus Group, the state-sponsored North Korean hacking group that was last in the headlines for attempting to hack bitcoin accounts in February.

“This leads us to believe that the current wave of targeted attacks using Ryuk may either be the work of the HERMES operators, the allegedly North Korean group, or the work of an actor who has obtained the HERMES source code,” they added.

Bob Adams, a cybersecurity expert at Mimecast Services Ltd., told SiliconANGLE that “attackers have learned to leverage various psychological tactics in their phishing campaigns.”

Check Point didn’t specify an attack vector, but Adams believes the companies were targeted in an “invoice attack” where the malicious actors send a fake invoice to a company in an effort to gain access to the network. With Ryuk, those invoices are highly targeted to create the best opportunity to be opened.

“By preying on users, they rely on human error to expedite their attacks,” Adams said. “Organizations that implement a layered approach that focuses on both protecting and educating users will be far better protected than those that rely on their users to determine what’s good or bad. The cost of updating your security controls is far less than the cost of a breach.”

Photo: Bjørn Christian Tørrissen/Wikimedia Commons