A new, highly targeted ransomware attack has been affecting large businesses. The Ryuk operation demands that victims make large Bitcoin payments for the return of their files.
Is Ryuk Ransomware Connected to North Korea’s Lazarus Group?
The Ryuk ransomware attack has been exposed by security company Check Point. In a lengthy report, the firm states that the group behind the operation has already netted over $640,000 worth of Bitcoin in the two weeks it has been live.
Check Point note that the attack is much more targeted than previous examples of ransomware.
“From the exploitation phase through to the encryption process and up to the ransom demand itself, the carefully operated Ryuk campaign is targeting enterprises that are capable of paying a lot of money in order to get back on track.”
Each campaign appears to be specifically tailored to individual businesses. This has involved extensive network mapping and the mass stealing of credentials to successfully infect systems with the Ryuk software.
Once infected, one of two ransom notes are sent to the companies. The first is a detailed, almost friendly letter, advising firms of their security weaknesses and detailing that the stated Bitcoin demand must be met within two weeks or the infected files will be automatically deleted.
MexicanRoutes.com - travel & vacation guide. All mexican routes & destinations. All about Mexico: resorts, destinations, history, tourist information & travel tips
It goes on to say that the ransom demands will increase for every day they are ignored. Upon delivering of the payment, those behind the attack state that they will decrypt the files and advise the company on how to patch their security holes. It reads:
“Gentlemen! Your business is at serious risk. There is a significant hole in the security of your company… You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks… The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5BTC… Nothing personal just business.”
The second ransom note is much more abrupt, but carries the same general message. They are both signed “Ryuk” with the message: “No system is safe.”
Despite the Ryuk attack only just emerging, it largely resembles another attack which appeared late last year. Much of the software’s coding is similar to that of the Hermes ransomware program. Hermes has previously been connected with the North Korean hacker group known as Lazarus.
The similarities between the two attacks have lead Check Point to conclude that either the Ryuk attack involves the same group who launched Hermes, or that it is the work of another group who have somehow gained access to the prior operation’s source code.
Either way, Check Point believe that more businesses will fall victim to the Ryuk attack, owing to the success it has had over a short period of time:
“After succeeding with infecting and getting paid some $640,000, we believe that this is not the end of this campaign and that additional organizations are likely to fall victim to Ryuk.”
Featured image from Shutterstock.