Selective ransomware Ryuk nets $4m from big businesses

Thought to be operating out of Russia, attackers demanded a 500 bitcoin ransom

hacking and ransomware

A recently discovered form of ransomware that has been targeting businesses has reportedly made almost $4 million since its release in August 2018.

The ransomware, known as Ryuk, is operating unusually for an attack of its kind. It's common to see ransomware attack any system that will allow it to, but Ryuk is selectively infecting businesses with the deepest of pockets.

Advertisement - Article continues below

The ransomware payload would make its way onto a system after it was initially infected with another type of malware called TrickBot. After TrickBot infected a device, it would then see if it had infected a computer belonging to a small or large-sized business and would only install the ransomware on the computer belonging to a company with more to lose.

The ransomware would typically infect systems up to months before the ransomware was installed which allowed the attackers to perform network reconnaissance.

The reconnaissance stage is crucial and allows attackers to spend time in a system, identifying vulnerabilities and then plan a coordinated attack to unleash maximum damage.

Ryuk "shows a slightly more subtle and sophisticated approach to using ransomware as a technique for revenue generation for state actors and professional crime outfits," said Paul McKay, senior analyst at Forrester. "Previous ransomwares have tended to deploy payload very quickly and obviously, while this shows a level of sophistication not very often seen. It is interesting to note the selectiveness of targets, showing that reconnaissance to identify the assets that will cause the most damage to a business and thus increase the likelihood of the victim having to pay up."

Advertisement - Article continues below
Advertisement - Article continues below

It's not the first ransomware to employ these tactics though. Other attacks such as SamSam used similar methods to achieve their goal, dating back to 2015.

"Throughout 2018, FireEye observed an increasing number of cases where ransomware was deployed after the attackers gained access to the victim organization through other methods, allowing them to traverse the network to identify critical systems and inflict maximum damage, FireEye said in a blog post.

"SamSam operations, which date back to late 2015, were arguably the first to popularize this methodology... FireEye Intelligence expects that these operations will continue to gain traction throughout 2019 due to the success these intrusion operators have had in extorting large sums from victim organizations."

Crowdstrike, a cybersecurity company, branded this attack as "big game hunting" as it was able to coerce just over $3.7 million out of businesses in 52 transactions since August, with the payments being made in Bitcoin.

Advertisement - Article continues below

Ryuk is the same attack responsible for halting the printing of Tribune Publishing's newspapers, including the LA Times and the Wall Street Journal earlier this month.

For an attack, this damaging, questions are going to be asked about who is behind it, and there are some different theories about who that may be.

Because Ryuk's code bears some resemblance to that of Hermes, a North Korean-linked ransomware campaign, McAfee said that many have pointed fingers at North Korea for Ryuk too, although it's unlikely that the state is actually behind it.

The more prevalent theory, the one that McAfee puts forth, is that the attackers are probably residing in Russia.

"The most likely hypothesis in the Ryuk case is that of a cybercrime operation developed from a tool kit offered by a Russian-speaking actor," said McAfee in a blog post authored by the head of cyber investigations Jon Fokker and senior analyst Ryan Sherstobitoff.

Advertisement - Article continues below

"From the evidence, we see sample similarities over the past several months that indicate a tool kit is being used. The actors have targeted several sectors and have asked a high ransom, 500 Bitcoin. Who is responsible? We do not know. But we do know how the malware works, how the attackers operate, and how to detect the threat."

CrowdStrike corroborates this idea, noting its threat detection software "has medium-high confidence that the threat actors are operating out of Russia". 

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now



How can you protect your business from crypto-ransomware?

4 Nov 2019
mobile security

Parachute's Superlock feature keeps your phone recording in an emergency

2 Jun 2020

K2View innovates in data management with new encryption patent

28 May 2020
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020

Most Popular


Ransomware collective claims to have hacked NASA IT contractor

3 Jun 2020

VMware Cloud Director exploit lets hackers seize corporate servers

2 Jun 2020

How data science is transforming business

29 May 2020