This ransomware campaign focuses primarily on business and demands payments in Bitcoin
Several cyber security organization specialists have reported various cases of attacks with ransomware known as Ryuk, which encrypts data stored in device memory and data centers. The attack victims are organizations in the United States and other parts of the world.
It is estimated that the group of hackers behind the attack accumulates more than $640K USD in Bitcoin during the campaign and presumably have some connection with the Lazarus group, hackers linked to the North Korean government.
“From the exploitation phase to the file encryption process and to the ransom demand itself, ransomware Ryuk’s campaign is carried out with utmost care and is aimed at companies with sufficient resources to pay a ransom so the malware does not interventions whit their operations”, cyber security organization experts said.
Ransomware Ryuk first appeared in mid-August and infected several organizations in the United States in just a few days, encrypting computers and data centers to later demand ransom in Bitcoin; it is believed that an organization paid 50 Bitcoin (about $320K USD) to decrypt its information.
This ransomware campaign has been detailed by several cyber security organization experts, who describe the attacks as a targeted task in such a way that attackers perform custom campaigns involving extensive mapping of the attacked network and stealing credentials to achieve the ultimate goal of Ryuk installation and encrypt systems.
This procedure is similar to that used by the ransomware SamSam, with which the attackers gathered more than $6M USD, although there is no apparent link between the two campaigns.
Cyber security organization researchers from the International Institute of Cyber Security report that it is still necessary to determine exactly how the malicious load is delivered, what researchers know is that users infected with Ryuk are met with two different ransom notes.
In one of the messages is stated in a very polite way that the attackers have found a loophole in the company’s security systems which has been used to encrypt data and ask for a payment in Bitcoin, pointing out that the files will be completely lost if the payment is not made in two weeks.
A second note, written in a more direct way, just indicates the user that the files have been encrypted and that a ransom must be paid to recover them. In both cases, victims receive email directions and an online Bitcoin wallet address to pay the ransom.
In both cases, the losses have been between 15 and 35 Bitcoin (around $224K USD) with an additional rate of 0.5 Bitcoin for each day without paying. The requested ransom rates lead to think that hackers have investigated in detail the organizations that are victims of the attack.
Despite being a recently launched campaign, it has been possible to conclude that Ryuk has the same code as Hermes, a ransomware used in a recent campaign.