Even though ransomware is no longer considered to be the No. 1 threat globally, it isn’t going away anytime soon either. Research conducted by the independent MalwareHunterTeam and also the cybersecurity company Check Point shows that a new ransomware is making bank for its creators. The ransomware, dubbed Ryuk, was first announced as a threat via MalwareHunterTeam in a Twitter thread that identified the ransomware as containing hybrid components of Bitpaymer (specifically in its ransom note) and Hermes. Hermes being mentioned is important as that malware has been tied to the North Korean hacking group Lazarus.
The effect Hermes has on Ryuk is very noticeable once analyzed, which is something that Check Point did in their research blog post. As noted by Check Point, the encryption method that Ryuk uses is more or less identical to that of Hermes. The researchers note additionally that the creators “did not even bother to change the marker in the encrypted files as the code used to generate, place and verify this marker in order to determine if a file was already encrypted are identical in both malwares.”
The estimated damage so far that Ryuk has caused is $640,000 based on estimations from Catalin Cimpanu of Bleeping Computer. A lot of this has to do with the efficacy of the social engineering, taken more or less from Hermes’ handbook, as well as the ransomware’s design. The ransomware campaign is a targeted attack against specific targets and, while the ransomware is built in a rather rudimentary manner, it uses an AES-RSA encryption combination that is considered undecryptable. As this is the case, anyone infected with Ryuk is more or less forced to pay the ransom or nuke their machine.
Additionally, Ryuk is creating unique bitcoin addresses for each victim, which makes the perpetrators more difficult to trace. Furthermore, the payments are quickly removed from the accounts and laundered to eliminate any traces that might lead back to the criminals. My money is on this not being Lazarus as they wouldn’t be dumb enough to point the finger back at themselves by using the same exact structure as their previous creation Hermes. Other experts disagree with me, including Cimpanu, who states that “the new Ryuk ransomware strain appears to be a new attempt from the Lazarus Group at developing a SamSam-like strain to use in precise surgical strikes against selected organizations.”
As more analysis is conducted we might be able to decipher who is behind the attacks, because whoever they are (Lazarus or not), over a half-million dollars in bitcoin is significant damage within such a short time frame. Those behind Ryuk must be discovered and brought to justice.
Featured image: Flickr / Christiaan Colen