ZDNet Report on Ryuk ‘TrickBot’ Email Trojan Ransomware Shows Its Russian, Nets Nearly $4 Million in Bitcoin

According to Hard Fork, research from cybersecurity analysis teams at McAfee Labs and Crowdstrike point to the infamous Ryuk ransomware hacking as being Russian in origin, and not North Korean as originally was thought.

The Ryuk, so named for a fictional manga and anime character from Death Note where the namesake is a god of death that spreads his own notebooks of death in the human world as an experiment out of boredom, the campaign is ransomware whose exploits over this past Christmas gained its notoriety.

A first shallow analysis of the ransomware showed a similarity in coding to Hermes which originated in North Korea, leading to the assumption that Ryuk was as well. A deeper analysis proved it more likely from Russia, although it appears to be a 2.0 version of the original Hermes ransomware.

Its spread started with a banking Trojan called TrickBot through tens of thousands of emails, slowly traveling to its target- a large enterprise. It’s believed they combed through the original recipients of this email, and then all its following connections, hand selecting pathways until they got to the corporate destination they needed. In this case, US media group Tribune Publishing.

After the target is reached, the hard drives become encrypted, locking important data which can only be released once a ransom is paid in bitcoin. The amount has changed based on the company, suggesting a beforehand knowledge of each company and their assets.

Over the New Year, Tribune publishing had to delay many popular American news publishings from papers such as the Los Angeles Times, The Wall Street Journal, and The New York Times. The renown of these papers is what first drew major attention to the now dubbed group behind it, GRIM SPIDER.

Their origins and purpose are unknown.


“To date, the lowest observed ransom was for 1.7 BTC and the highest was for 99 BTC”, wrote CrowdStrike. “With 52 known transactions spread across 37 BTC addresses (as of this writing), GRIM SPIDER has made 705.80 BTC, which has a current value of $3.7 million (USD). With the recent decline in BTC to USD value, it is likely GRIM SPIDER has netted more.”

Correction- the value of 705.80 BTC at the time of this article is valued at approximately $2.9 million USD, the original quote was misspoken.

Get Daily Headlines

Enter Best Email to Get Trending Crypto News & Bitcoin Market Updates

What to Know More?

Join Our Telegram Group to Receive Live Updates on The Latest Blockchain & Crypto News From Your Favorite Projects

Join Our Telegram

Stay Up to Date!

Join us on Twitter to Get The Latest Trading Signals, Blockchain News, and Daily Communication with Crypto Users!

Join Our Twitter

Add comment

E-mail is already registered on the site. Please use the Login form or enter another.

You entered an incorrect username or password

Sorry, you must be logged in to post a comment.
Bitcoin Exchange Guide