China Becomes Latest Victim of Bitcoin Ransomware Ryuk; The Malware Caused Havoc In The US
- A specific ransomware virus has already broken into over 100 enterprises in the United States.
- The same ransomware is now going after enterprises in China.
Ransomware is a way for hackers to get into the networks and computer systems of their target, before requiring the victim to pay up to regain access.
This type of ransomware has gotten involved with 100 government and private enterprises in the United States alone. However, the ransomware has been getting into other regions as well lately. Most notably, this same ransomware has been popping up in China, according to a report from Tencent Security.
The code, which is being called Ryuk, goes after “logistics companies, technology companies, and small municipalities,” especially ones with high data value. Some of these hacking issues have demanded that the companies pay upwards of $5 million, asking for it in Bitcoin, according to reports from the Federal Bureau of Investigation (FBI).
Tribune Publishing was recently a victim of a hack, which experts believe to be the work of Ryuk. The hack impacted all of the outlets of this media conglomerate. In Lake City, located in Florida, officials ended up just paying $460,000 for the ransom, following the shut down of the computer systems. This payment happened only two weeks after a $600,000 hijacking that happened in Riviera Beach, Florida.
From what experts understand about this ransomware, Ryuk is believed to be an altered version of the Hermes virus, which originally came out in August 2018. Much like the Hermes virus, Ryuk goes through the use of botnet and spam methods, resulting in the infiltration of the IP ports that have yet to be defended.
After the software is installed, the malware ends up pulling all of the files that are related to the attack. In the process, it shuts down the antivirus processes, which end up obscuring the infection vector. However, the FBI found that Ryuk has attacked through brute force in one circumstance, using Remote Desktop Protocols. In a Flash, the FBI stated
“After the attacker has gained access to the victim network, additional network exploitation tools may be downloaded… once executed, Ryuk establishes persistence in the registry, injects into running processes, looks for network connected file systems, and begins encrypting files.”
To display the blackmail letter, the virus drops a file called “RyukReadMe,” which pops up on the user’s internet browser. The only information given on this page is the email addresses of the hackers, along with the name of the virus. There is also a cryptic phrase – “balance of shadow universe” – which is found in the bottom right corner.
This virus has been tracked by the FBI since 2018, and there have been many changes since it has begun. The Chinese variation runs both a 32-bit and 64-bit blackmail module at the same time, which the FBI believes is responsible for the evolution and advancement of the bug.
At this point, the number of Chinese enterprises affected isn’t clear, nor is the total amount that the hackers have demanded as ransom. CoinDesk has reached out for a statement from Tencent on the matter, but the company has yet to respond to the request.