Ryuk Ransomware Attacks Businesses for Bitcoin, May Have North Korea Lazarus Group Ties
Ryuk Ransomware May be Connected to North Korea Lazarus Group
Security Company Check Point exposed the Ryuk ransomware attack, which in its operational total, netted over $640,000 worth of Bitcoin in the last two weeks. According to Checkpoint, the attach is an especially targeted attach and:
From the exploitation phase through to the encryption process and up to the ransom demand itself, the carefully operated Ryuk campaign is targeting enterprises that are capable of paying a lot of money in order to get back on track.
The ransomware campaign targets individual businesses in a very specific manner, ultimately leading to network mapping and the mass theft of credentials to successfully infect systems with the platform’s software. Once infected, the platform sends one of two ransom notes to the businesses. The first note is detailed, friendly, and advises about the security weaknesses and details the stated Bitcoin demand must be met within two weeks or the infected files will be deleted.
The ransom note then notes that if demands are ignored, ransom demands will increase. Once Ryuk receives payment, the attacts will decrypt files and advise the businesses how to take care of their security holes, which looks like this:
Gentlemen! Your business is at a serious risk. There is a significant hole in the security of your company. You should thank the Lord for being hacked by serious people and not some stupid schoolboys or dangerous punks. The final price depends on how fast you write to us. Every day of delay will cost you additional +0.5BTC. Nothing personal just business.
The second note differs in the sense that it is more abrupt, but it also features the same message. Interestingly enough, another attack similar to another one – the Hermes Ransomware program, which was connected to North Korean hacker group Lazarus.
A few of the main similarities have caused Check Point to determine that either the Ryuk attack features the same group that launched Hermes, or that it is the work of another group that gains access to the prior source code.
In any event, Check Point opines that most businesses may become victim to the attack. As it notes, “After succeeding with infecting and getting paid some $640,000, we believe that this is not the end of this campaign and that additional organizations are likely to fall victim to Ryuk.”