Organizations Hit With North Korea-Linked Ryuk Ransomware

A recent wave of ransomware attacks against organizations around the world have been linked to a notorious North Korean threat actor according to the experts at security firm Check Point say.

The campaign appears highly targeted, with at least three organizations in the United States and worldwide severely affected. Because some victims decided to pay large ransoms in order to retrieve access to their files, the campaign operators are estimated to have netted over $640,000 to date. 

Two ransom note versions were sent to victims, a longer, well-worded one that demanded a payment of 50 Bitcoin (around $320,000), and a shorter, more blunt note, demanding payments between 15-35 BTC (up to $224,000). 

Dubbed Ryuk, the ransomware used in these attacks appears connected to Hermes, a piece of file-encrypting malware previously associated with the North Korean threat group Lazarus. Hermes too was used in targeted attacks, including the attack against the Far Eastern International Bank (FEIB) in Taiwan.

Thus, Check Point’s security researchers concluded that Lazarus could be responsible for the Ryuk ransomware as well, unless another actor was able to get Hermes’ source code and used it to build their own malware. 

As Intezer and McAfee revealed not long ago, however, most North Korean malware can be linked to Lazarus via code reuse. 

Ryuk’s encryption scheme, the researchers note, was built specifically for small-scale operations. Thus, not only is the infection carried out manually by the operators, but the malware itself infects only crucial assets and resources on the targeted networks. 

The ransomware’s encryption logic resembles that found in Hermes, and the code used to generate, place and verify a marker to determine if a file was already encrypted is identical in both malware families. The function that invokes this routine conducts very similar actions in both cases.

Furthermore, both ransomware families drop to the disk files that resemble in name and purpose, and Check Point notes that such similarity of code “might well be a sign of an underlying identical source code.”

As part of the recent attacks, a dropper containing both the 32-bit and 64-bit modules of the ransomware was used. When run, Ryuk checks if it was executed with a specific argument and then kills more than 40 processes and over 180 services belonging to antivirus, database, backup and document editing software.

The ransomware also achieves persistence onto the infected machines and attempts to encrypt network resources in addition to local drives. It also destroys its encryption key and deletes shadow copies and various backup files from the disk, to prevent users from recovering files. 

The researchers also note that, from the exploitation phase through to the encryption process and the ransom demand itself, the Ryuk campaign is clearly targeted at organizations that can pay large ransom amounts. 

Almost all of the observed Ryuk ransomware samples, the security researchers say, were provided with a unique wallet. Shortly after the victim paid the ransom, the attackers divided the funds and transmitted them through multiple accounts. 

“We were able to spot a connection between these wallets, as funds paid to them were transferred to several key wallets at a certain point. This may indicate that a coordinated operation, in which several companies have been carefully targeted, is currently taking place using the Ryuk ransomware,” Check Point says.

Computer Week:

You Might Also Read:

Re-Thinking The Threat Of Ransomware

« Blockchain, Chatbots, AI Could Reinvent Corporate Finance
Why Mainframe Security Risks Are Largely Unrecognized »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Quttera

Quttera

Quttera provides Website Security Solutions for Small & Medium Businesses, Enterprises and Organizations.

eco

eco

eco, with more than 950 member organizations, is the largest Internet industry association in Europe.

Executive Women's Forum (EWF)

Executive Women's Forum (EWF)

The Executive Women's Forum is the largest member organization serving emerging leaders and influential female executives in the Information Security, Risk Management and Privacy industries.

Syhunt Security

Syhunt Security

Syhunt is a leading player in the web application security field, delivering its assessment tools to a range of organizations across the globe.

Xcina Consulting (XCL)

Xcina Consulting (XCL)

Xcina Consulting provides high quality business and technology risk assurance and advisory services.

National Cyber Security Authority (NCA) - Saudi Arabia

National Cyber Security Authority (NCA) - Saudi Arabia

The NCA is the government entity in charge of cybersecurity in Saudi Arabia and serves as the national authority on its affairs.

Ravelin Technology

Ravelin Technology

Ravelin prevents chargebacks, fraud, and account takeover. Machine learning and human insight combine for highly accurate fraud detection and prevention.

Archivo

Archivo

Archivo is a value added reseller focused on Disaster Recovery as a Service (DRaaS), backup, hyper-convergence, hybrid storage and Cyber security.

Abion

Abion

At Abion (formerly BRANDIT), we empower your business by providing comprehensive brand protection and web security services.

Cloudrise

Cloudrise

Cloudrise are elevating cloud security, data protection, and privacy through assessment, technology enablement, and process automation.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

DataSixth Security Consulting

DataSixth Security Consulting

DataSixth delivers Cybersecurity Intelligence. With our unique capabilities, we’re able to deliver value, deliver answers, and deliver actionable security intelligence.

Emerge Digital

Emerge Digital

Emerge Digital is a technology and digital innovation business and Managed Services Provider providing solutions to SMEs.

Sababa Security

Sababa Security

Sababa Security is the first Italian innovation cyber security vendor, that provides security products, training, and managed services to protect diverse IT and OT environments.

CompassMSP

CompassMSP

CompassMSP deliver Managed IT and cybersecurity solutions designed to unleash your business's full potential.

Krash Consulting

Krash Consulting

Krash Consulting is a premier provider of Cyber Security solutions, offering a range of services to safeguard businesses against cyber-attacks, minimize fraud, and protect brand reputation globally.