Ryuk ransomware linked to financially-motivated Russian cybercriminals
- The ransomware typically arrives at the final stage of infection that starts with Emotet and contains TrickBot as a secondary payload.
- Researchers have found that there is a similarity between Ryuk ransomware and Hermes 2.1.
Multiple researchers are linking the Ryuk ransomware - that disrupted the operation of various US newspapers in late 2018 - to the Emotet and TrickBot trojans. Not just that, the researchers have also shifted their blame for the attack from North Korean actors to financially-motivated Russian cybercriminals.
According to researchers from CrowdStrike, FireEye, Kryptos Logic and McAfee Labs, it is found that the attack which was carried out against Tribune Company on December 29 was a part of a large cybercrime scheme. So far, cybercriminals have managed to make off with $3.7 million worth of bitcoins by infecting the networks in the massive attack.
Ryuk linked to TEMP.MIXMaster
In the reports by FireEye and CrowStrike, researchers explain that the ransomware typically arrives at the final stage of infection that starts with Emotet and TrickBot as a secondary payload.
FireEye has linked this type of access to financially motivated threat actors referred to as TEMP.MIXMaster. The researchers noted that the threat actors have been active since at least December 2017.
“In multiple incidents, rather than relying solely on built-in TrickBot capabilities, TEMP.MixMaster used EMPIRE and RDP connections to enable lateral movement within victim environments,” FireEye’s researchers said in a blog post.
“Interactive deployment of ransomware, such as this, allows an attacker to perform valuable reconnaissance within the victim network and identify critical systems to maximize their disruption to business operations, ultimately increasing the likelihood an organization will pay the demanded ransom,” the researchers added.
Ryuk linked to GRIM SPIDER threat actor
The CrowdStrike researchers believe a group named GRIM SPIDER is likely to have created the Ryuk ransomware. The attackers appear to have bought a version of Hermes ransomware from a hacking forum in order to create the ransomware.
The confusion comes from the fact that North Korean state hackers had deployed a version of the Hermes ransomware to target a Taiwanese bank in October 2017. The malware used in the attack was Hermes 2.1.
Researcher John Fokker and Christian Beek from McAfee investigated the attacks on US Newspapers and the attack on Taiwanese bank and found that there was a similarity between Ryuk ransomware and Hermes 2.1.
“Looking at research from our industry peers comparing Ryuk and Hermes, we notice that the functionalities are generally equal. We agree that the actors behind Ryuk have access to the Hermes source code,” Fokker and Beek in their research paper.
In research first released by McAfee and then followed by FireEye and CrowdStrike, researchers now feel that it is more likely that actors behind Ryuk are from Russia.
This is because, in August 2017, the Hermes was being sold online on the hacking forum Exploit.in by a Russian speaking actor. Furthermore, like most Russia based ransomware, Hermes contain code that would not encrypt computers that have a system language set to Russian, Ukrainian or Belarusian.