Experts: Ryuk Ransomware was launched by Russian Cybercriminals, not North Korean Hackers

One of the largest media groups based in the United States was a victim of a cyber attack called Ryuk ransomware during the just-concluded Holidays. The attack was attributed to North Korean state hackers because of the 2017 Hermes ransomware attack they conducted as part of a hacking operation in Taiwan.

The recent Ryuk ransomware contained some traces of the Hermes ransomware, and as such, it was safe to conclude that the attack was from North Korea. Past reports had it that North Korean state hackers deployed the ransomware to banks as a facade to cover up their tracks.

However, recent researches by various experts show that the attack has most likely originated from Russian cybercriminals, not North Korea. This was concluded after extensive research by several cyber-security firms such as FireEye, McAfee, CrowdStrike, and Kryptos Logic.

CrowdStrike’s team revealed that the attack was launched by a Russian criminal group known as Grim Spider. The group reportedly acquired a version of Hermes ransomware from a hacking forum and modified it to what we now know as Ryuk ransomware. Furthermore, CrowdStrike’s team explained that the Ryuk ransomware perpetrators (the alleged Grim Spider team) is a subsidiary of a cybercriminal group (called Wizard Spider) that they have been tracking for a while. They explained that the group is responsible for creating the TrickBot banking trojan which was employed in the Ryuk ransomware attack.

Experts stated that the group operates by infecting hundreds of computers with the TrickBot malware before selecting the ‘worthy few’ to infect with the Ryuk ransomware. This is virtually the same method operated by most ransomware groups such as SamSam and BitPaymer. The differentiating factor in Ryuk ransomware is that the gang make use of commodity malware like TrickBot and Emotet as opposed to the ‘norm’ of using compromised credentials for companies Remote Desktop Protocol (RDP) or brute-force attacks. Experts revealed that the group has walked away from attacks like this unscathed. The research attributed 37 Bitcoin addresses to the group with over 52 transactions.

According to the report, Ryuk ransomware group extorted victims at different rates. I guess they weighed the victim’s financial ability before settling for an amount to be paid as ransom. The lowest amount of ransom among the 52 known transactions is 1.7 BTC, and 99 BTC happens to be the highest known amount. The amount accumulated so far from the 52 transactions is about 705.80 BTC which is equivalent to $3,701,893.98 at the current BTC price.

Recent events from the ransomware attack sphere indicate that individual ransomware attacks may be on the edge of extinction as most attacks now emanate from big cybercriminal groups.