Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Was North Korea Wrongly Accused of Ransomware Attacks?

Ryuk Ransomware’s Attribution to North Korea Likely Incorrect, Multiple Security Firms Believe

Ryuk Ransomware’s Attribution to North Korea Likely Incorrect, Multiple Security Firms Believe

The Ryuk ransomware that emerged in summer of 2018 is likely not the work of state-sponsored North Korean hackers, security researchers now say.

First detailed in August 2018, the malware was tied to the Hermes ransomware, which was previously associated with Lazarus, a group of hackers notorious for a large number of high-profile attacks, including the attack against the Far Eastern International Bank (FEIB) in Taiwan.

According to new research from FireEye, CrowdStrike, and McAfee, while Ryuk indeed features snippets of code previously observed in Hermes, the code similarities are insufficient to conclude that North Korea is indeed responsible for the Ryuk attacks.

The Hermes ransomware, FireEye points out, was “advertised for sale in the underground community at one time,” which suggests other threat actors too might have had access to its code. 

FireEye’s security researchers also observed Ryuk being deployed on systems that had been initially infected with the TrickBot malware. The TrickBot operator, which is likely based in Eastern Europe, is believed to be providing the malware to a small number of cybercriminals. 

While not all TrickBot infections also deployed Ryuk, those that did showed consistency across gtags in the configuration files of TrickBot. The consistency supposedly resides in the propagation method, namely TrickBot’s worming module, which was configured to use those gtag values.

Advertisement. Scroll to continue reading.

The activity involving the TrickBot distribution and operation, and Ryuk deployment, the researchers say, might not be conducted by a common operator or group. 

“It is also plausible that Ryuk malware is available to multiple eCrime actors who are also using TrickBot malware, or that at least one TrickBot user is selling access to environments they have compromised to a third party,” FireEye notes. 

CrowdStrike’s security researchers, on the other hand, suggest that the eCrime actor named “GRIM SPIDER” is behind Ryuk, and that this group is a cell of the Russia-based criminal enterprise known for operating TrickBot (an actor the security firm refers to as “WIZARD SPIDER”). 

Ryuk, CrowdStrike says, is specifically used to target enterprise environments, and its operators apparently “have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98.”

The researchers note that there are indeed code similarities between Ryuk and Hermes, but also point out that Hermes was initially being sold on underground forums, in 2017. Lazarus did use Hermes in the attack on the Far Eastern International Bank in Taiwan, they say, which suggests the actor had access to the ransomware’s source code, “or a third party compiled and built a new version for them.” 

The researchers also observed that the ransomware version used in the attack would not append the exported and encrypted AES key to the end of the encrypted files, making decryption impossible. Thus, the Hermes variant used in the FEIB SWIFT attack appears to have been designed to destroy the victim’s data. 

The researchers also point out that Hermes initially emerged on a Russian-speaking forum, which would suggest that, if Hermes was indeed the work of North Korean-linked Lazarus, “nation-state threat actors are selling their services on Russian-speaking forums, which is unlikely.”

McAfee, which analyzed the recent Ryuk cyberattack that disrupted the delivery of several major newspapers in the United States, says that evidence gathered during the investigation suggests that “the Ryuk attacks may not necessarily be backed by a nation-state, but rather share the hallmarks of a cybercrime operation.”

A comparison between Ryuk and Hermes shows that the functionalities are generally equal, indicating that “the actors behind Ryuk have access to the Hermes source code,” McAfee notes. The security firm also points out that Hermes was being sold as a kit, meaning that the buyer had to do some fine tuning before distributing the ransomware, and that Ryuk might have emerged following such tuning. 

“The most likely hypothesis in the Ryuk case is that of a cybercrime operation developed from a tool kit offered by a Russian-speaking actor. From the evidence, we see sample similarities over the past several months that indicate a tool kit is being used,” McAfee, which refrained from attributing the ransomware to a specific group, explains. 

Related: Ransomware Attack Against Hosting Provider Confirms MSPs Are Prime Targets

Related: Ryuk Ransomware Suspected in U.S. Newspaper Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.