A targeted new ransomware has burst on the scene, attacking well-chosen, targeted organizations worldwide with a highly sophisticated operation that may be linked to a well-known APT actor.
Over the past two weeks, the Ryuk ransomware has encrypted hundreds of PCs, storage and data centers in each of the companies that it’s infected, according to Check Point, including within three high-value enterprises in the U.S. So far, the ongoing campaign has netted $640,000 for the threat actors.
“Unlike the common ransomware, systematically distributed via massive spam campaigns and exploit kits, Ryuk is used exclusively for tailored attacks,” Check Point researchers said in a post on the code, today. “In fact, its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers.”
Researchers said that the attackers are asking for varied sums in return for file decryption, depending on the target — ranging from 15 BTC to 50 BTC (roughly $96,000 to $320,000).
“Some organizations paid an exceptionally large ransom,” they noted.
The attackers are tailoring their communications approach to the victims too, including using two different ransom notes. One is longer, “well-worded and nicely phrased,” according to Check Point, and used for organizations slapped with higher ransom requests. A second note is for the less lucrative victims, featuring a blunter note.
Overall, the operation is clearly a sophisticated one, involving plenty of recon activities, like extensive network mapping, hacking and credential collection. This suggests a well-honed actor pulling the strings – and Check Point found suggestions in its analysis of the activities that North Korea’s Lazarus Group APT could possibly be behind it all.
However, attribution is somewhat difficult, especially given that while tracking the money trail, researchers saw that Ryuk’s authors are disguising their received payments by dividing and transferring them among multiple wallets. After a ransom payment is made to a preassigned wallet, some 25 percent of the funds are transferred to a new wallet. The remaining amount is also transferred to a new wallet; however, the remaining funds are split and relocated again.
“Ryuk ransomware has not been widely distributed… it has only been used in targeted attacks, which makes it a lot harder to track the malware author’s activities and revenues,” Check Point analysts said. “Almost each malware sample was provided a unique wallet and shortly after the ransom payment was made, the funds were divided and transmitted through multiple other accounts.”
Connections to Hermes
While the operation is sophisticated, the ransomware’s technical capabilities are relatively low, Check Point found. However, its code has notable similarities to the Hermes ransomware, a malware commonly attributed to the Lazarus Group. Hermes first gained publicity in October 2017 when it was used as part of a sophisticated SWIFT attack against the Far Eastern International Bank (FEIB) in Taiwan.
Code similarities include the fact that Ryuk’s encryption logic resembles that found in the Hermes ransomware, the researchers said.
“Indeed, if we compare the function that encrypts a single file, we see much similarity in its structure,” according to Check Point. “In fact, it seems that the author of Ryuk did not even bother to change the marker in the encrypted files as the code used to generate, place and verify this marker in order to determine if a file was already encrypted are identical in both malwares.”
Also, the firm noted that both whitelist similar folders (e.g. “Ahnlab,” “Microsoft,” “Chrome” “Mozilla,” “$Recycle.Bin” etc.); both write a batch script named “window.bat” in the same path; and in both cases there are files dropped to disk (“PUBLIC” and “UNIQUE_ID_DO_NOT_REMOVE”) that are similar in name and purpose.
“This leads us to believe that the current wave of targeted attacks using Ryuk may either be the work of the Hermes operators, the allegedly North Korean group, or the work of an actor who has obtained the Hermes source code,” researchers noted.
Also, as regards the whitelisted files, the ransomware performs a standard recursive sweep of every drive and network share on the victim system, and encrypts every file and directory except for those containing text from the hardcoded whitelist.
“It’s clear why the attackers would want the victim’s web browser intact given that it may be required for reading the ransom note, purchasing cryptocurrency and so on,” researchers noted. “But it is less clear why the attackers are concerned with encrypting the victim’s copy of a South Korean endpoint protection product, especially given that this attack wasn’t even targeted at South Korean users.”
It does make sense, however, if the Hermes ransomware is being re-used and rebranded as “Ryuk” ransomware.
Further, when it comes to the trust model, the original Hermes actually generated the tier-two per-victim RSA keypairs, as opposed to embedding hard-coded copies in the malware samples; however, “the encryption function itself, including the encrypted file format and its associated unique ‘Hermes’ file magic, are reproduced wholesale in the rebranded version.”
Ultimately, both the nature of the attack and the malware’s own inner workings tie Ryuk to the Hermes ransomware.
“[This arouses] curiosity regarding the identity of the group behind it and its connection to the Lazarus Group,” researchers concluded. “We believe that this is not the end of this campaign and that additional organizations are likely to fall victim to Ryuk.”