A new ransomware campaign targeting large organisations in the US and around the world has made the attackers behind it over $640,000 in Bitcoin in the space of just two weeks, and appears to be connected to Lazarus, the hacking group working out of North Korea.
“From the exploitation phase through to the encryption process and up to the ransom demand itself, the carefully operated Ryuk campaign is targeting enterprises that are capable of paying a lot of money in order to get back on track,” said security company Check Point.
Ryuk ransomware first emerged in mid-August and in the space of just days infected several organisations across the US, encrypting PCs and storage and data centres of victims and demanded huge Bitcoin ransoms – one organisation is believed to have paid 50 Bitcoin (around $320,000) after falling victim to the attack.
The new ransomware campaign has been detailed by the researchers at Check Point who describe the attacks as highly targeted to such an extent that the perpetrators are conducting tailored campaigns involving extensive network mapping, network compromise and credential stealing in order to reach the end goal of installing Ryuk and encrypting systems.
It sounds similar to the techniques used by those behind SamSam ransomware, which has made its authors over $6 million, although there’s not thought to be a link between these two particular malicious operations.
Researchers have yet to determine how exactly the malicious payload is delivered, but users infected with Ryuk are met with one of two ransom notes.
One is written almost politely, claiming that the perpetrators have found a “significant hole in the security systems of your company” which has led to all files being encrypted and that a Bitcoin ransom needs to be paid to retrieve the files.
“Remember, we are not scammers” the message concludes – before stating how all files will be destroyed if a payment isn’t received within two weeks.
One of the Ryuk ransom notes.
Image: Check Point
A second note is blunter, simply stating that files have been encrypted and that a ransom must be paid in order to retrieve the files. In both cases, victims are given an email to contact and a Bitcoin wallet address and are told that “no system is safe” from Ryuk.
In both cases, ransoms have been between 15 and 35 Bitcoin ($224,000) with an additional half a Bitcoin added for every day the victim doesn’t give into the demands.
See also: Ransomware: An executive guide to one of the biggest menaces on the web
With such large ransoms being demanded, it appears that the attackers have researched their victims and have come to the conclusion that they’ll be willing to pay to retrieve their data.
“It is reasonable to assume the threat actors had some prior knowledge about their victims and their financial background,” Mark Lechtik, malware research team leader at Check Point told ZDNet.
“The fact that the targets are organizations and not individuals, might lead to a scenario where they have highly valuable data encrypted, which gives the perpetrators leverage to request higher amounts for its recovery.
“In such cases and in light of the underlying business impact, it becomes inevitable for the victims to pay the ransom,” he added.
If victims pay up the cryptocurrency is divided and transferred between multiple wallets as the attackers attempt to disguise where the funds came from.
The ransomware hasn’t been widely distributed, indicating that careful planning is behind attacks against specific organisations.
But while the Ryuk campaign is new, researchers have found that the code is almost exactly the same as another form of ransomware – Hermes.
Hermes ransomware first appeared late last year and has previously been connected to attacks conducted by the North Korean Lazarus hacking group, including when it was used as a diversion for a $60m cyber heist against the Far Eastern International Bank in Taiwan.
Researchers inspecting Ryuk’s encryption logic have found that is very highly resembles that of Hermes, to such an extent that it still references Hermes within the code and that a number of rules and instructions are the same in both forms of malware, indicating identical source code.
That’s lead Check Point to two possible conclusions: Ryuk is a case of North Korean hackers re-using code to conduct a new campaign, or that is the work of another attacker which has somehow gained access to the Hermes source code.
In either case, the specifically targeted attacks and the reconnaissance required in order to conduct them suggests that those behind Ryuk have the time and resources necessary to carry out the campaign. The current bounty of at least $640,000 suggests it’s paying off and researchers warn that more attacks will come.
“After succeeding with infecting and getting paid some $640,000,…