UPDATED 20:32 EST / JANUARY 13 2019

SECURITY

Ryuk ransomware now believed to be the work of Russian crime syndicate

Ryuk, a form of ransomware that first appeared last year and was attributed to North Korea, may actually be the work of a Russian criminal syndicate.

That’s according to research published late last week by CrowdstrikeFireEye and McAfee Labs, which all came to the same conclusion in separate reports. An attack that delayed the printing of several major U.S. newspapers Dec. 29 shared similarities with tools known to be used by Russian cybercrime syndicates, they noted.

Calling it a rush to attribution, the McAfee researchers said the finger had been pointed incorrectly because there appears to be shared code with the older Hermes ransomware, a tool known to be used by North Korea. Digging further, though, they noted that Hermes itself has its origins in Russia.

A number of the reports also noted that the Ryuk infections are often delivered as the final stage of a multiple infection process, what FireEye describes as TEMP.MixMaster. The process starts with a targeted computer being infected by the Emotet banking malware followed by TrickBot then Ryuk.

Emotet was last in the news in October when a North Carolina water utility said it was first infected by Emotet before Ryuk held their network ransomware. Emotet is known to have its origins in Russia.

The various researchers also found that those behind the attacks, having installed Emotet and TrickBot, often wait until installing Ryuk, sometimes as long as several months. After reconnaissance via remote desktop protocol connections, the hackers then wait until victims look to be a lucrative ransomware target.

Further evidence that the origin may be Russian comes in the Hermes malware. According to the various reports, Hermes itself was offered for sale on various dark web forums from which North Korea hackers are likely to have acquired it.

The Crowdstrike researchers believe a group called GRIM SPIDER is likely to have purchased Hermes and used the code base to design Ryuk.

So far it has been profitable endeavor. The group is believed to have netted over 705 bitcoin ($2.48 million) since first deploying Ryuk in August.

Image: Crowdstrike

Since you’re here …

… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.

Cookies

We employ the use of cookies. Find out more.