The Ryuk ransomware has raked in $3.7 million in bitcoin payments since it first appeared last August, researchers say – and has emerged as the calling card for a crime organization called Grim Spider (a.k.a. MixMaster). It turns out that Grim Spider could share a link with other crime syndicates, indicating a potentially large, interrelated web of sophisticated criminal activity spreading out globally.
According to CrowdStrike analysis from late last week, Grim Spider has specialized in going after big game with Ryuk – targeting large organizations for a high-ransom return. Lately, it’s also been using TrickBot and Emotet malware in its attack chain – a state of affairs that raises hypotheses around Grim Spider attribution.
By following the malware breadcrumbs, this multi-malware approach could indicate that Grim Spider is a sub-cell of a larger, Russia-based group called Wizard Spider, which is best known as spreading the TrickBot banking malware and carrying out wire fraud, researchers said. Similarly, Grim Spider and Wizard Spider appear to also be potentially affiliated with a third group that CrowdStrike calls Mummy Spider, which promulgates the Emotet malware around the globe; and Ryuk’s approach also shares similarities with yet another arachnid-themed gang, called Indrik Spider by the firm.
Ryuk, Heir to Hermes
The analysis shows that Ryuk is a result of the custom development of an older commodity malware known as Hermes, believed to have been authored by North Korea’s Stardust Chollima (a.k.a. APT38, believed to be a revenue-generating offshoot of the well-known APT Lazarus Group). Hermes first gained publicity in October 2017 when it was used as part of a sophisticated SWIFT attack against the Far Eastern International Bank (FEIB) in Taiwan.
“Code comparison between versions of Ryuk and [the] Hermes ransomware indicates that Ryuk was derived from the Hermes source code, and has been under steady development since its release,” said the research team. “Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by Grim Spider and, unlike Hermes, Ryuk has only been used to target enterprise environments.”
Code similarities include the fact that Ryuk’s encryption logic resembles that found in the Hermes ransomware, the researchers said. Like Hermes, Ryuk encrypts files using the RSA-2048 and AES-256 algorithms, and stores keys in the executable using the proprietary Microsoft SIMPLEBLOB format. It encrypts mounted devices and remote hosts, and uses a file marker of HERMES to mark or check if a file has been encrypted.
However, unlike Hermes, Ryuk doesn’t generate a victim-specific RSA key pair. Instead, Ryuk has two public RSA keys embedded in the executable, and what was previously the victim’s RSA private key is encrypted and embedded in the executable.
“Because Ryuk does not generate a victim-specific RSA key pair, all hosts can be decrypted with the same decryption key,” analysts said. “This might appear to be a design flaw but is not, since Ryuk has a unique key for each executable. If a single executable is used for a single victim environment, then there are no repercussions if the private keys are leaked because it will only decrypt the damage from a single Ryuk executable. Thus, it is highly likely that Ryuk pre-generates the RSA key pairs for each victim. This is arguably more secure, since the victim’s system will never have access to the unencrypted RSA key pair parameters without paying the ransom.”
They noted that this approach is similar to another arachnid-themed crime group, Indrik Spider, whose BitPaymer ransomware generates a victim-specific sample with a hard-coded public key.
“Ryuk is under constant development. In recent months, Ryuk binaries have continued to deviate further and further from the original Hermes source code, with the threat actors adding and removing functionality often,” according to CrowdStrike. “In November 2018, Falcon Intelligence identified new functionality added to Ryuk that included an anti-analysis infinite loop, a ping-like request to an IP address once the encryption process was completed, and the addition of an appended file extension for encrypted files. Of these three new features, only the file extension is still present in an executable compiled on Dec. 20, 2018.”
Interestingly, the ransom demand varies significantly, with the amount asked for appearing to be based on the size and value of the victim organization. CrowdStrike said that to date, the lowest observed ransom was for 1.7 Bitcoin – about $6,700 – and the highest was for 99 Bitcoin, which is about $363,294 at today’s exchange rates.
Unraveling a Web of Malware
In addition to the similarities with Indrik Spider’s malware, analysis of multiple observed Ryuk infections also turned up TrickBot and Emotet infestations within the same victim environments, indicating a multi-malware web of attack.
“[We believe] that the initial compromise is performed through TrickBot, which is typically distributed either via spam email or, through the use of the Emotet (developed and operated by Mummy Spider) geo-based download function,” the analysts said. “[Our platform] Falcon Intelligence has been monitoring the geo-based download activity from Emotet and, during 2018, Mummy Spider has been an avid supporter of Wizard Spider, predominantly distributing TrickBot to Emotet victims in the U.K., the U.S. and Canada.”
Some of TrickBot’s modules (such as pwgrab) appear to aid in recovering the credentials needed by Grim Spider to compromise environments, the analysis pointed out.
“The SOCKS module in particular has been observed tunneling PowerShell Empire traffic to perform reconnaissance and lateral movement,” the team said. “Through CrowdStrike IR engagements, Grim Spider has been observed performing [various] events on the victim’s network, with the end goal of pushing out the Ryuk binary.”
Attribution Still Unclear
While the link with Hermes seems to point to Grim Spider being affiliated with the former’s North Korean developers, the fact that Hermes was up for sale on Russian underground forums pokes holes in that theory.
“While there have been numerous reports attributing Ryuk malware to North Korea, FireEye has not found evidence of this during our investigations,” researchers at FireEye said, in a separate analysis last week of the Ryuk group, which it calls MixMaster. “This narrative appears to be driven by code similarities between Ryuk and Hermes, a ransomware that has been used by APT38. However, these code similarities are insufficient to conclude North Korea is behind Ryuk attacks, as the Hermes ransomware kit was also advertised for sale in the underground community at one time.”
CrowdStrike also said that it assesses with “medium-high confidence” that Grim Spider/MixMaster is actually a Russia-based organization – a conclusion that it draws from artifacts in the code as well as observed activity of the threat actors.
For one, the code won’t execute on Russian, Ukrainian or Belarusian systems – a feature commonly included by malware developers and sellers who are operating in Russia to reduce their risk of attracting local law enforcement’s attention and criminal prosecution.
Perhaps more compelling, during a Ryuk investigation, Falcon Intelligence noticed files related to the investigation being uploaded to a file-scanning website from an IP address in Moscow.
“The file in question was a variant of kill.bat that contained commands previously only observed executed by Ryuk calling ShellExecute,” CrowdStrike researchers explained. “The files could have been uploaded by a victim in Russia, but the time frame between the functionality being removed from Ryuk binaries and included in kill.bat was very short. The most likely scenario is that threat actors were testing whether kill.bat would be detected by antivirus engines.”
And perhaps most compelling of all, during a forensic investigation of a network compromised by Grim Spider, CrowdStrike recovered artifacts with filenames in Russian.
Of course, when it comes to the Russian hypothesis, the latter could be false flags, while the first two points are circumstantial at best. Further, FireEye’s Mandiant unit noted that the perceived linkages between the TrickBot operators (known to be Eastern European-based) and Grim Spider are not conclusive either.
“Currently, we do not have definitive evidence that the entirety of MixMaster activity, from TrickBot distribution and operation to Ryuk deployment, is being conducted by a common operator or group,” the analysts said. “The TrickBot administrator group, which is suspected to be based in Eastern Europe, most likely provide the malware to a limited number of cyber-criminal actors to use in operations.”
They added, “It is also plausible that Ryuk malware is available to multiple eCrime actors who are also using TrickBot malware, or that at least one TrickBot user is selling access to environments they have compromised to a third party.”
Thus, while the narrative of multiple spiders working together is a compelling narrative, how this spider’s web of malware and operators comes together remains shadowy, for now.