ZDNet Report on Ryuk ‘TrickBot’ Email Trojan Ransomware Shows Its Russian, Nets Nearly $4 Million in Bitcoin
According to Hard Fork, research from cybersecurity analysis teams at McAfee Labs and Crowdstrike point to the infamous Ryuk ransomware hacking as being Russian in origin, and not North Korean as originally was thought.
The Ryuk, so named for a fictional manga and anime character from Death Note where the namesake is a god of death that spreads his own notebooks of death in the human world as an experiment out of boredom, the campaign is ransomware whose exploits over this past Christmas gained its notoriety.
A first shallow analysis of the ransomware showed a similarity in coding to Hermes which originated in North Korea, leading to the assumption that Ryuk was as well. A deeper analysis proved it more likely from Russia, although it appears to be a 2.0 version of the original Hermes ransomware.
Its spread started with a banking Trojan called TrickBot through tens of thousands of emails, slowly traveling to its target- a large enterprise. It’s believed they combed through the original recipients of this email, and then all its following connections, hand selecting pathways until they got to the corporate destination they needed. In this case, US media group Tribune Publishing.
After the target is reached, the hard drives become encrypted, locking important data which can only be released once a ransom is paid in bitcoin. The amount has changed based on the company, suggesting a beforehand knowledge of each company and their assets.
Over the New Year, Tribune publishing had to delay many popular American news publishings from papers such as the Los Angeles Times, The Wall Street Journal, and The New York Times. The renown of these papers is what first drew major attention to the now dubbed group behind it, GRIM SPIDER.
Their origins and purpose are unknown.
“To date, the lowest observed ransom was for 1.7 BTC and the highest was for 99 BTC”, wrote CrowdStrike. “With 52 known transactions spread across 37 BTC addresses (as of this writing), GRIM SPIDER has made 705.80 BTC, which has a current value of $3.7 million (USD). With the recent decline in BTC to USD value, it is likely GRIM SPIDER has netted more.”
Correction- the value of 705.80 BTC at the time of this article is valued at approximately $2.9 million USD, the original quote was misspoken.