Ryuk Ransomware’s Attribution to North Korea Likely Incorrect, Multiple Security Firms Believe
The Ryuk ransomware that emerged in summer of 2018 is likely not the work of state-sponsored North Korean hackers, security researchers now say.
First detailed in August 2018, the malware was tied to the Hermes ransomware, which was previously associated with Lazarus, a group of hackers notorious for a large number of high-profile attacks, including the attack against the Far Eastern International Bank (FEIB) in Taiwan.
According to new research from FireEye, CrowdStrike, and McAfee, while Ryuk indeed features snippets of code previously observed in Hermes, the code similarities are insufficient to conclude that North Korea is indeed responsible for the Ryuk attacks.
The Hermes ransomware, FireEye points out, was “advertised for sale in the underground community at one time,” which suggests other threat actors too might have had access to its code.
FireEye’s security researchers also observed Ryuk being deployed on systems that had been initially infected with the TrickBot malware. The TrickBot operator, which is likely based in Eastern Europe, is believed to be providing the malware to a small number of cybercriminals.
While not all TrickBot infections also deployed Ryuk, those that did showed consistency across gtags in the configuration files of TrickBot. The consistency supposedly resides in the propagation method, namely TrickBot’s worming module, which was configured to use those gtag values.
The activity involving the TrickBot distribution and operation, and Ryuk deployment, the researchers say, might not be conducted by a common operator or group.
“It is also plausible that Ryuk malware is available to multiple eCrime actors who are also using TrickBot malware, or that at least one TrickBot user is selling access to environments they have compromised to a third party,” FireEye notes.
CrowdStrike’s security researchers, on the other hand, suggest that the eCrime actor named “GRIM SPIDER” is behind Ryuk, and that this group is a cell of the Russia-based criminal enterprise known for operating TrickBot (an actor the security firm refers to as “WIZARD SPIDER”).
Ryuk, CrowdStrike says, is specifically used to target enterprise environments, and its operators apparently “have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98.”
The researchers note that there are indeed code similarities between Ryuk and Hermes, but also point out that Hermes was initially being sold on underground forums, in 2017. Lazarus did use Hermes in the attack on the Far Eastern International Bank in Taiwan, they say, which suggests the actor had access to the ransomware’s source code, “or a third party compiled and built a new version for them.”
The researchers also observed that the ransomware version used in the attack would not append the exported and encrypted AES key to the end of the encrypted files, making decryption impossible. Thus, the Hermes variant used in the FEIB SWIFT attack appears to have been designed to destroy the victim’s data.
The researchers also point out that Hermes initially emerged on a Russian-speaking forum, which would suggest that, if Hermes was indeed the work of North Korean-linked Lazarus, “nation-state threat actors are selling their services on Russian-speaking forums, which is unlikely.”
McAfee, which analyzed the recent Ryuk cyberattack that disrupted the delivery of several major newspapers in the United States, says that evidence gathered during the investigation suggests that “the Ryuk attacks may not necessarily be backed by a nation-state, but rather share the hallmarks of a cybercrime operation.”
A comparison between Ryuk and Hermes shows that the functionalities are generally equal, indicating that “the actors behind Ryuk have access to the Hermes source code,” McAfee notes. The security firm also points out that Hermes was being sold as a kit, meaning that the buyer had to do some fine tuning before distributing the ransomware, and that Ryuk might have emerged following such tuning.
“The most likely hypothesis in the Ryuk case is that of a cybercrime operation developed from a tool kit offered by a Russian-speaking actor. From the evidence, we see sample similarities over the past several months that indicate a tool kit is being used,” McAfee, which refrained from attributing the ransomware to a specific group, explains.
Related: Ransomware Attack Against Hosting Provider Confirms MSPs Are Prime Targets
Related: Ryuk Ransomware Suspected in U.S. Newspaper Attack