Ryuk ransomware operators raked in over $640,000 and could be linked to Lazarus

• Ryuk ransomware’s infrastructure shares several similarities with that of the Hermes ransomware.
• Ryuk, unlike other ransomware variants, has only been used for small-scale but highly targeted attacks.

The cybercriminals operating the recently discovered Ryuk ransomware have already raked in over $640,000. The ransomware has infected various organizations across the globe. At least three entities in the US and elsewhere are believed to have been “severely hit” by the ransomware.

According to security researchers at Check Point, who tracked the Ryuk ransomware campaign, the ransomware shares similarities with the Hermes ransomware, which is believed to be operated by the notorious North Korean state-backed threat group Lazarus. Researchers suspect that Ryuk may either be operated by Lazarus or by threat actors who got a hold of the Hermes ransomware’s source code.

Modus operandi

Ryuk’s operators appear to be masking the ransom payments they have received by transferring the bitcoin payments among multiple wallets. Ryuk, unlike other ransomware variants, has only been used for small-scale but highly targeted attacks. Ryuk’s encryption scheme indicates that the ransomware is designed to only infect crucial assets and resources.

Ryuk vs Hermes

Hermes first rose to prominence after it was used by the Lazarus Group to target the Far Eastern International Bank (FEIB) in Taiwan. The attack saw Lazarus hackers steal $60 million. Although Hermes was used more as a diversion in the attack against the Taiwanese bank, in the case of Ryuk, the ransomware is the main event of the campaign.

“An interesting finding that arises when inspecting Ryuk’s code is that its encryption logic resembles that found in the HERMES ransomware,” Check Point researchers wrote in a blog. “It should also be noted that all the above logic is preserved in both the 32 and 64 bit versions of Ryuk that we had samples of. Such similarity of code across different architectures might well be a sign of an underlying identical source code.”

Ryuk ransomware capabilities and ransom

Ryuk is capable of shutting down over 40 process and around 180 services, including those belonging to antivirus, backup, databases and other programs. Ryuk is also capable of destroying its encryption key and deleting all the shadow copies of the various backup files on a targeted system.

“Ryuk ransomware has not been widely distributed. Similarly to its forefather, HERMES, it has only been used in targeted attacks, which makes it a lot harder to track the malware author’s activities and revenues,” Check Point researchers added. “Almost each malware sample was provided a unique wallet and shortly after the ransom payment was made, the funds were divided and transmitted through multiple other accounts.”

Researchers believe that Ryuk is only targeting organizations that are capable of paying large amounts of money. Experts estimated that Ryuk attacks will likely continue and more global organizations may fall victim to the ransomware in the near future.