UPDATED 20:32 EDT / JANUARY 13 2019

SECURITY

Ryuk ransomware now believed to be the work of Russian crime syndicate

Ryuk, a form of ransomware that first appeared last year and was attributed to North Korea, may actually be the work of a Russian criminal syndicate.

That’s according to research published late last week by CrowdstrikeFireEye and McAfee Labs, which all came to the same conclusion in separate reports. An attack that delayed the printing of several major U.S. newspapers Dec. 29 shared similarities with tools known to be used by Russian cybercrime syndicates, they noted.

Calling it a rush to attribution, the McAfee researchers said the finger had been pointed incorrectly because there appears to be shared code with the older Hermes ransomware, a tool known to be used by North Korea. Digging further, though, they noted that Hermes itself has its origins in Russia.

A number of the reports also noted that the Ryuk infections are often delivered as the final stage of a multiple infection process, what FireEye describes as TEMP.MixMaster. The process starts with a targeted computer being infected by the Emotet banking malware followed by TrickBot then Ryuk.

Emotet was last in the news in October when a North Carolina water utility said it was first infected by Emotet before Ryuk held their network ransomware. Emotet is known to have its origins in Russia.

The various researchers also found that those behind the attacks, having installed Emotet and TrickBot, often wait until installing Ryuk, sometimes as long as several months. After reconnaissance via remote desktop protocol connections, the hackers then wait until victims look to be a lucrative ransomware target.

Further evidence that the origin may be Russian comes in the Hermes malware. According to the various reports, Hermes itself was offered for sale on various dark web forums from which North Korea hackers are likely to have acquired it.

The Crowdstrike researchers believe a group called GRIM SPIDER is likely to have purchased Hermes and used the code base to design Ryuk.

So far it has been profitable endeavor. The group is believed to have netted over 705 bitcoin ($2.48 million) since first deploying Ryuk in August.

Image: Crowdstrike

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU

Cookies

We employ the use of cookies. Find out more.