Ryuk ransomware was first spotted in August 2018 and is distributed via high-profile attacks. Ryuk has only been used to target enterprise environments. The GRIM SPIDER hacker group is believed to be operating the Ryuk ransomware. Since its appearance in August, the group operating it has earned over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.
Ryuk's capabilities
Similarities between Ryuk and Hermes
Code similarities between Ryuk and Hermes reveal that Ryuk was derived from the Hermes source code and has been under steady development since its first appearance.
A modified version of Hermes, dubbed Ryuk, made an appearance in mid-August 2018. Hermes and Ryuk target files in a similar manner. The similarities between both the ransomware include
Differences between Ryuk and Hermes
Unlike Hermes, Ryuk was tailored to target only enterprise environments and some of the modifications include removing anti-analysis checks. The core differences are:
The link between Ryuk and TrickBot
Researchers noted Ryuk ransomware to be working with another threat group ‘GRIM SPIDER’ which is behind TrickBot. They tracked a financially-motivated activity ‘TEMP.MixMaster’ which involved attackers using the Ryuk ransomware associated with TrickBot infections. Researchers also observed a malspam campaign distributing Ryuk. It is to be noted that TrickBot is distributed through massive spam campaigns.
Ryuk attacks
In August 2018, Ryuk made its first appearance infecting various organizations across the globe by encrypting hundreds of PCs, storage and data centers in each infected company. At least three global organizations in the US and elsewhere including a medical equipment firm Tim Otis are believed to have been “severely hit” by the ransomware.
In October 2018, a major Canadian restaurant chain, Recipe Unlimited, was hit by Ryuk attack affecting operations at its restaurants including brands Swiss Chalet, Harvey's, Milestones, Kelseys, Montana's, Bier Markt, and East Side Mario's. The attackers behind the attack asked the restaurant chain to pay ransom in bitcoin in order to retrieve the data.
In December 2018, several major newspapers in the US including Los Angeles Times, New York Times, Wall Street Journal, were hit by a massive cyberattack, as a result of which printing and distribution of newspapers were delayed. The cybercriminals behind the attack were suspected to have used the Ryuk Ransomware.
Cloud hosting provider Dataresolution.net suffered a ransomware attack on Christmas Eve. The attackers exploited a compromised login account on Christmas Eve and infected its servers with the Ryuk ransomware. The Ryuk attack on its computers led the company to shut down its network in order to curtail the spread of the infection and to work through the process of restoring infected systems.
Publisher