Organizations Hit With North Korea-Linked Ryuk Ransomware

A recent wave of ransomware attacks against organizations around the world have been linked to a notorious North Korean threat actor according to the experts at security firm Check Point say.

The campaign appears highly targeted, with at least three organizations in the United States and worldwide severely affected. Because some victims decided to pay large ransoms in order to retrieve access to their files, the campaign operators are estimated to have netted over $640,000 to date. 

Two ransom note versions were sent to victims, a longer, well-worded one that demanded a payment of 50 Bitcoin (around $320,000), and a shorter, more blunt note, demanding payments between 15-35 BTC (up to $224,000). 

Dubbed Ryuk, the ransomware used in these attacks appears connected to Hermes, a piece of file-encrypting malware previously associated with the North Korean threat group Lazarus. Hermes too was used in targeted attacks, including the attack against the Far Eastern International Bank (FEIB) in Taiwan.

Thus, Check Point’s security researchers concluded that Lazarus could be responsible for the Ryuk ransomware as well, unless another actor was able to get Hermes’ source code and used it to build their own malware. 

As Intezer and McAfee revealed not long ago, however, most North Korean malware can be linked to Lazarus via code reuse. 

Ryuk’s encryption scheme, the researchers note, was built specifically for small-scale operations. Thus, not only is the infection carried out manually by the operators, but the malware itself infects only crucial assets and resources on the targeted networks. 

The ransomware’s encryption logic resembles that found in Hermes, and the code used to generate, place and verify a marker to determine if a file was already encrypted is identical in both malware families. The function that invokes this routine conducts very similar actions in both cases.

Furthermore, both ransomware families drop to the disk files that resemble in name and purpose, and Check Point notes that such similarity of code “might well be a sign of an underlying identical source code.”

As part of the recent attacks, a dropper containing both the 32-bit and 64-bit modules of the ransomware was used. When run, Ryuk checks if it was executed with a specific argument and then kills more than 40 processes and over 180 services belonging to antivirus, database, backup and document editing software.

The ransomware also achieves persistence onto the infected machines and attempts to encrypt network resources in addition to local drives. It also destroys its encryption key and deletes shadow copies and various backup files from the disk, to prevent users from recovering files. 

The researchers also note that, from the exploitation phase through to the encryption process and the ransom demand itself, the Ryuk campaign is clearly targeted at organizations that can pay large ransom amounts. 

Almost all of the observed Ryuk ransomware samples, the security researchers say, were provided with a unique wallet. Shortly after the victim paid the ransom, the attackers divided the funds and transmitted them through multiple accounts. 

“We were able to spot a connection between these wallets, as funds paid to them were transferred to several key wallets at a certain point. This may indicate that a coordinated operation, in which several companies have been carefully targeted, is currently taking place using the Ryuk ransomware,” Check Point says.

Computer Week:

You Might Also Read:

Re-Thinking The Threat Of Ransomware

« Blockchain, Chatbots, AI Could Reinvent Corporate Finance
Why Mainframe Security Risks Are Largely Unrecognized »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

rPeople Staffing

rPeople Staffing

rPeople provides direct placement in all areas of your organization, including and specializing in Technical and Executive hiring.

Cloud Security Alliance (CSA)

Cloud Security Alliance (CSA)

The CSA is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing

Fox-IT

Fox-IT

Fox-IT prevents, solves and mitigates the most serious cyber threats with smart solutions for governmental bodies, defense, law enforcement, critical infrastructure, banking and large enterprises.

Cervello

Cervello

Cervello is a leading provider of comprehensive and proven solutions to protect railways against cyber attacks.

ABS Group

ABS Group

ABS Group provides risk and reliability solutions and technical services that help clients confirm the safety, integrity and security of critical assets and operations.

Findcourses.co.uk

Findcourses.co.uk

Findcourses is a dedicated education search engine designed to make it easy for our learners to search and find exactly what they need from our community of trusted training providers.

KDM Analytics

KDM Analytics

KDM Analytics software products automate the NIST risk management framework (RMF) assessment for operational technology (OT) systems.

Cympire

Cympire

Cympire significantly increases an organisation’s Cyber Resilience through continuous Training and Assessment. Cyber Security Training Platform. Cloud-based and fully customizable Cyber Range.

Dectar

Dectar

Dectar (formerly 4Securitas) is a cybersecurity company that provides solutions that predict, detect, defend and react against cybersecurity threats.

Herzing College

Herzing College

Herzing College Ottawa offers an accelerated 12-month Cybersecurity Specialist training program. This program is developed by industry experts and based on leading IT security certifications.

AWARE7

AWARE7

IT security for human and machine. With the help of our products and services, we work with you to increase the IT security level of your organization.

Disecto Technologies

Disecto Technologies

At Disecto, we provide SaaS based Data Discovery, Classification and a remediation solution for data privacy compliance.

Cyborg Security

Cyborg Security

Cyborg Security is a team of threat hunters, threat intelligence analysts, and security researchers from across North America.

Career Smarter

Career Smarter

Career Smarter offers accredited online courses in cybersecurity and other sectors, helping learners gain industry-recognised certifications.

RAH Infotech

RAH Infotech

RAH Infotech is India’s leading value added distributor and solutions provider in the Network and Security domain. We are specialists in Enterprise and App Security and Application Delivery.

Cyber Dexterity

Cyber Dexterity

Cyber Dexterity deliver tailored advisory and learning solutions that empower your people, customers and key stakeholders with lasting skills and capabilities.