Look out, SamSam. There’s a new ransomware in town that’s very carefully targeting enteprises and businesses. Say hello to Ryuk. In the first two weeks after its August debut, the ransomware has made their cyber attackers over $640,000 USD. By contrast, SamSam has taken about three years to make its author about $6 million USD.
While the people behind Ryuk are on their way to their first million dollars worth of Bitcoin, they also think you should be very honored to be attacked by them. This is some of what their ransom note says:
“Gentlemen! Your business is at serious risk. There is a significant hole in the security of your company… You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks… The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5BTC… Nothing personal just business.”
Cryptocurrency values fluctuate wildly, but when I checked the Bitcoin to US dollar exchange rate on August 23rd, a Bitcoin was $6,410.74. So apparently each day an organization delays costs them more than a few grand. The main ransom amount demanded has varied from 15 to 50 Bitcoin, that’s about $96,000 to $320,000. Because these attacks are so targeted, I believe they may be adjusting their demand according to what they think their target can pay.
Like most other ransomware that targets the enterprise, Ryuk exploits Windows vulnerabilities. But unlike WannaCry, there isn’t one specific vulnerability that it always targets first, such as that notorious Windows SMB exploit. Ryuk’s cyber attackers will spend time mapping their targets’ networks and maliciously acquiring credentials. As Microsoft patches Windows and Cisco patches networking devices, the Ryuk team will probably find new vulnerabilities to exploit. And they do it all just for you!
It’s hypothesized that the people behind Ryuk are either North Korea’s Lazarus Group, or a group that has learned from Lazarus’ work. That’s because Ryuk resembles HERMES in many ways. HERMES was discovered in October 2017 when it was used against Taiwan’s Far Eastern International Bank to steal about $60 million through SWIFT. It’s strongly believed that Lazarus conducted that attack. The code used in Ryuk to place a marker to check that a file has been encrypted is identical to the code used for the same function in HERMES. Both Ryuk and HERMES are very selective of what they encrypt in a Windows system. They’ll encrypt what the target really needs, but not what they need in order to read the ransom note and make the Bitcoin payment. And they both go about the encryption process the same way, whitelisting specific Windows folders, writing a file called “window.bat” to each folder, and a script to delete shadow volumes and backup files.
Ryuk is also ready to exploit really legacy Windows systems, such as Windows 2000 32-bit. What is an OS that’s been out of support for so long doing on the internet? Or maybe those machines are just in an organization’s internal network, but the Ryuk black hats must have gotten into their targets’ internal networks through a machine that is connected to the internet. Any computer that runs an OS that’s no longer supported should be completely isolated from the internet, or exist as a virtual machine (that a network administrator can delete at will) if using that OS/version can’t possibly be avoided.
Ryuk also has a really nasty persistence technique. It just writes itself to the Run registry. Ouch!
Only time will tell if Ryuk is the work of North Korea’s notorious Lazurus Group, or if we’re looking at the work of Lazurus Part Deux. The LulzSec to Lazarus’ Anonymous if you will. (Well not only time will tell, but also the work of dedicated malware researchers like the Comodo threat intelligence lab.)