Research Suggests Russian-Based Hackers Behind Ryuk Ransomware’s $2.5 Million Gains

Published at: Jan. 14, 2019

A recent spate of ransomware attacks estimated to have earned hackers 705.08 Bitcoin (BTC) ($2.5 million) likely came from Russian cybercriminals, not North Korean state-sponsored actors as initially thought. The development was reported on The Next Web’s crypto-focused news site Hard Fork on Jan. 14.

Hard Fork cites evidence from cybersecurity research teams McAfee Labs and Crowdstrike, which have analyzed the strategies used in developing and disseminating the Ryuk ransomware strain, and concluded that the identity and motivations of its masterminds have most likely until now been misreported. The Ryuk campaign notably attracted wide attention following its targeting of major United States media group Tribune Publishing over Christmas.

As McAfee notes, Ryuk is a fictional manga character who spreads lethal death notes as an evil distraction from his own boredom — an analogy for the ransom notes reported to have accompanied Ryuk once the ransomware had encrypted victims’ drives.

Ryuk was reportedly initially spread via a banking Trojan dubbed TrickBot, which was concealed in email spam sent to tens of thousands of victims, with the attackers then reported to have graduated to targeting select larger enterprises.

The allegedly mistaken attribution to North Korea appears to have been spurred by code similarities between Ryuk and Hermes — a ransomware that was previously allegedly used by North Korean state actors as an intrigue to distract from a compromise of the SWIFT network of the Far Eastern International Bank (FEIB) in Taiwan.

Yet as McAfee, Crowdstrike, and others argue, Ryuk is likely a modified version of Hermes 2.1., which was available as a commodity malware kit for sale in underground forums. It is believed — with medium to high confidence —  to be attributable to the Russia-based threat actor group GRIM SPIDER, in part because early ads for Hermes stated it would not work on Russian, Ukrainian or Belarusian-language systems.

As of August last year, the Ryuk heist is estimated to have earned its architects 705 BTC. In its analysis of the Ryuk attacks, Crowdstrike has reported that over 52 transactions across 37 BTC address, GRIM SPIDER has made 705.80 BTC ($2.5 million). The research added:

“With the recent decline in BTC to USD value, it is likely GRIM SPIDER has netted more.”

Crowdstrike further claims that GRIM SPIDER is a cell of e-criminals that forms part of the larger threat group WIZARD SPIDER, identified as the Russia-based operator of the TrickBot banking malware.

In a report published last October, cybercrime firm Group-IB identified the allegedly North Korean state-sponsored hacker group Lazarus as responsible for $571 million of the $882 million total in cryptocurrencies that was stolen from online exchanges during from 2017 to 18.

Tags
Related Posts
Did Jack Daniels Thwart a Ransomware Attack or Not?
Ransomware gang REvil, known also as Sodinokibi, claims to have mounted a successful attack against the U.S. wine and spirits giant, Brown-Forman Corp — but the company claims otherwise. The company is the official manufacturer of Jack Daniels whiskey. According to cybersecurity services provider, AppGate, the famous alcoholic beverages manufacturer did fall victim to an attack but refused to pay the ransom demanded by REvil. However, Brown-Forman Corp told Infosecurity-Magazine in a statement they had successfully prevented cybercriminals from encrypting its files. This does not necessarily mean the gang’s claim to have compromised the internal network and stolen sensitive data …
Bitcoin / Aug. 20, 2020
Ransomware Gang Auctions Off US Healthcare Data for Bitcoin
Crozer-Keystone Health System recently suffered a ransomware attack by the NetWalker ransomware gang. The gang is now auctioning the system’s stolen data through its darknet website. If it is not purchased at auction within six days, the gang has vowed to leak the data. On June 19, Cointelegraph was able to access the alleged publication. There appeared to be dozens of folders with an undisclosed amount of data, mostly concerning finances, but nothing related to medical records of patients. The gang claims that Crozer-Keystone Health System failed to pay for the ransom they demanded in Bitcoin (BTC). Crozer-Keystone is a …
Bitcoin / June 19, 2020
Israeli Software Firm Goes Behind Regulator's Back to Pay $250,000 in BTC Ransom
An Israel-based company reportedly paid $250,000 in Bitcoin for a ransom payment demanded by hackers that threatened to shut down its systems after a ransomware attack. According to a source quoted by Calcalist on June 14, Sapiens International Corp. N.V. — a Nasdaq and Tel Aviv-listed software company — didn’t report the decision to the securities’ regulators of either the U.S. or Israel. The ransomware attack happened at some point between March and April, when the COVID-19 outbreak exploded across the globe, forcing most of the company’s employees to switch to remote work. A suspected security breach during the early …
Technology / June 15, 2020
McAfee Says NetWalker Ransomware Generated $25M Over 4 Months
Cybersecurity firm McAfee released a study showing the activities of NetWalker, a ransomware first known as Mailto that was initially discovered in August 2019. According to the report, the operators of NetWalker have collected over $25 million from ransom payments since March 2020. From March 1 to July 27, the group collected around 2,795 Bitcoin (BTC), purportedly making it one of the most profitable types of ransomware for cybercriminals. According to the report, the Bitcoin transactions received by the gang — where the amount is split among several different addresses — reflects that NetWalker is a "ransomware-as-a-service" malware. Such a …
Bitcoin / Aug. 4, 2020
English Football Club Hit With Multi-Million Dollar Ransomware Attack
The UK National Cyber Security Centre released a report on July 23 that discloses a growing trend in ransomware attacks against the sports sector. They noted a recent example in which attackers demanded that an English Football League club, or EFL, pay a multi-million dollar ransom in Bitcoin (BTC). According to the Cyber Threat to Sports Organizations paper, the unnamed club was targeted by ransomware that crippled their corporate security systems. The ransom amount requested was 400 BTC ($3.66 million). The club declined to pay, resulting in a loss of their stored data. The attack could have had a great …
Bitcoin / July 23, 2020