INFRA
INFRA
INFRA
North Korean ransomware campaign demands 15 to 50 bitcoins from targeted companies
A recently discovered form of ransomware is being used in a highly targeted campaign that may have its roots in North Korea, according to security researchers at Check Point Software Technologies Ltd.
Called Ryuk, the ransomware was first detected in the wild in mid-August. In the days following, it infected several organizations in the U.S.
Reflecting typical ransomware, files on infected personal computers are encrypted, with the hackers demanding a payment in cryptocurrency, specifically between 15 and 50 bitcoin ($97,000 to $325,000).
Where Ryuk gets interesting is in the highly targeted nature of the attacks. “Unlike common ransomware, systematically distributed via massive spam campaigns and exploit kits, Ryuk is used exclusively for tailored attacks,” the security researchers explained. “In fact, its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers.”
Pointing the finger at North Korea, the researchers said that the Ryuk campaign and some of its inner workings use code employed by the HERMES ransomware. That’s malware commonly attributed to APT Lazarus Group, the state-sponsored North Korean hacking group that was last in the headlines for attempting to hack bitcoin accounts in February.
“This leads us to believe that the current wave of targeted attacks using Ryuk may either be the work of the HERMES operators, the allegedly North Korean group, or the work of an actor who has obtained the HERMES source code,” they added.
Bob Adams, a cybersecurity expert at Mimecast Services Ltd., told SiliconANGLE that “attackers have learned to leverage various psychological tactics in their phishing campaigns.”
Check Point didn’t specify an attack vector, but Adams believes the companies were targeted in an “invoice attack” where the malicious actors send a fake invoice to a company in an effort to gain access to the network. With Ryuk, those invoices are highly targeted to create the best opportunity to be opened.
“By preying on users, they rely on human error to expedite their attacks,” Adams said. “Organizations that implement a layered approach that focuses on both protecting and educating users will be far better protected than those that rely on their users to determine what’s good or bad. The cost of updating your security controls is far less than the cost of a breach.”
Photo: Bjørn Christian Tørrissen/Wikimedia Commons
A message from John Furrier, co-founder of SiliconANGLE:
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
