The attacker made over $640,000 from various victims by demanding 15 BTC to 50 BTC in order to retrieve their files and some of the organization from the U.S and other countries are severely affected by Ryuk Ransomware.
Researchers believe that Ryuk Ransomware might be another targetted campaign from Lazarus Group or malware author derived HERMES source code.
In this case, Attackers carefully pick the target and it’s intentionally built for small-scale enterprise networks and the attack carried out manually by the attackers.
Ryuk Ransomware Attack Flow
Initially, Ryuk distributed via massive spam campaigns and exploit kits and there is some specific operation such as extensive network mapping, hacking, and credential collection required before each operation.
Attackers using the same encryption logic that found in the HERMES ransomware and the similarities of the logic of the encryption process is almost the same as Ryuk.
Ryuk Ransomware kills more than 40 windows processes and stops more than 180 services by executing taskkill and net stop on a list of predefined service and process names.
Most of the services and processes are belonging to antivirus, database, backup and document editing software.
According to checkpoint Research, code injection technique holds the core functionality used by the ransomware for file encryption. It is started by decrypting a list of API function name strings using a predefined key and an array of the string lengths which is then used to dynamically load the corresponding functions.
Two different samples were discovered and the ransom notes of both versions are very similar that is sent to the victim.
“Longer, well-worded and nicely phrased note, which led to the highest recorded payment of 50 BTC (around $320,000), and a shorter, more blunt note, which was sent to various other organizations and also led to some fine ransom payments ranging between 15-35 BTC (up to $224,000).”
Once its complete all the cryptographic primitives, it encrypts every drive and network share on the victim system except the for any file or directory containing text from a hardcoded whitelist, which includes “Windows”, “Mozilla”, “Chrome”, “RecycleBin” and “Ahnlab”
This for the purpose of the victim’s web browser intact given that it may be required for reading the ransom note, purchasing cryptocurrency and so on.
Attackers using several wallets and victims need to pay the specific wallet that they received within the Ransom notes.
The researcher believes that this Ransomware attacker is completely targetted attack and specifically targeting the enterprise network.