Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Organizations Hit With North Korea-Linked Ryuk Ransomware

A recent wave of ransomware attacks against organizations around the world have been linked to a notorious North Korean threat actor, security firm Check Point says.

A recent wave of ransomware attacks against organizations around the world have been linked to a notorious North Korean threat actor, security firm Check Point says.

The campaign appears highly targeted, with at least three organizations in the United States and worldwide severely affected. Because some victims decided to pay large ransoms in order to retrieve access to their files, the campaign operators are estimated to have netted over $640,000 to date.

Two ransom note versions were sent to victims, a longer, well-worded one that demanded a payment of 50 Bitcoin (around $320,000), and a shorter, more blunt note, demanding payments between 15-35 BTC (up to $224,000).

Dubbed Ryuk, the ransomware used in these attacks appears connected to Hermes, a piece of file-encrypting malware previously associated with the North Korean threat group Lazarus. Hermes too was used in targeted attacks, including the attack against the Far Eastern International Bank (FEIB) in Taiwan.

Thus, Check Point’s security researchers concluded that Lazarus could be responsible for the Ryuk ransomware as well, unless another actor was able to get Hermes’ source code and used it to build their own malware.

As Intezer and McAfee revealed not long ago, however, most North Korean malware can be linked to Lazarus via code reuse.

Ryuk’s encryption scheme, the researchers note, was built specifically for small-scale operations. Thus, not only is the infection carried out manually by the operators, but the malware itself infects only crucial assets and resources on the targeted networks.

The ransomware’s encryption logic resembles that found in Hermes, and the code used to generate, place and verify a marker to determine if a file was already encrypted is identical in both malware families. The function that invokes this routine conducts very similar actions in both cases.

Furthermore, both ransomware families drop to the disk files that resemble in name and purpose, and Check Point notes that such similarity of code “might well be a sign of an underlying identical source code.”

As part of the recent attacks, a dropper containing both the 32-bit and 64-bit modules of the ransomware was used. When run, Ryuk checks if it was executed with a specific argument and then kills more than 40 processes and over 180 services belonging to antivirus, database, backup and document editing software.

The ransomware also achieves persistence onto the infected machines and attempts to encrypt network resources in addition to local drives. It also destroys its encryption key and deletes shadow copies and various backup files from the disk, to prevent users from recovering files.

The researchers also note that, from the exploitation phase through to the encryption process and the ransom demand itself, the Ryuk campaign is clearly targeted at organizations that can pay large ransom amounts.

Almost all of the observed Ryuk ransomware samples, the security researchers say, were provided with a unique wallet. Shortly after the victim paid the ransom, the attackers divided the funds and transmitted them through multiple accounts.

“We were able to spot a connection between these wallets, as funds paid to them were transferred to several key wallets at a certain point. This may indicate that a coordinated operation, in which several companies have been carefully targeted, is currently taking place using the Ryuk ransomware,” Check Point says.

Related: Researchers Say Code Reuse Links North Korea’s Malware

Related: Taiwan Bank Heist Linked to North Korean Hackers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.