In the wake of the Ryuk ransomware attack on the Tribune Publishing Company last month, security researchers are warning the threat to enterprises may be growing.
In a research post published last week, threat detection vendor CrowdStrike in Sunnyvale, Calif., reported that Ryuk ransomware has accumulated more than $3.7 million in cryptocurrency payments since it first appeared in August. The research also noted that Ryuk has been used exclusively by a cybercrime threat group known as Grim Spider to target enterprises rather than individual users.
CrowdStrike security researcher Alexander Hanel, who authored the research post, said a modular malware called TrickBot has been used in many of the Ryuk attacks. “CrowdStrike has conducted multiple incident response (IR) engagements responding to Ryuk infections in which TrickBot was also identified on hosts in the victim environment,” Hanel wrote in the research post.
According to CrowdStrike’s research, Grim Spider uses malware called TrickBot — delivered via spam emails or through the Emotet malware downloader — for the initial infection of the enterprise. From there, threat actors use PowerShell scripts to disguise their activity and lateral movement while they disable backups and infect individual systems with the Ryuk ransomware.
Cybersecurity vendor FireEye also published research on Ryuk last week and noted a similar increase in observed attacks using TrickBot.
“These operations have been active since at least December 2017, with a notable uptick in the latter half of 2018, and have proven to be highly successful at soliciting large ransom payments from victim organizations,” the research team wrote. “FireEye Intelligence expects that these operations will continue to gain traction throughout 2019 due the success these intrusion operators have had in extorting large sums from victim organizations.”
Adam Meyers, vice president of threat intelligence at CrowdStrike, said the Ryuk attacks are part of what the vendor calls “big game hunting” where cybercrime groups like Grim Spider target large enterprises in order to generatae bigger ransom payments.
“In cases like this, the ransomware is deployed across the organization to maximize revenue,” he said.
Ryuk attribution comes into focus
Both CrowdStrike and FireEye challenged previous reports that attributed Ryuk ransomware to North Korea.
“Notably, while there have been numerous reports attributing Ryuk malware to North Korea, FireEye has not found evidence of this during our investigations,” FireEye researchers wrote.
CrowdStrike went a step further; Hanel wrote the vendor’s threat intelligence team “has medium-high confidence that the Grim Spider threat actors are operating out of Russia.” The assessment is partially based on CrowdStrike’s forensic investigation of the malware, which recovered artifacts with filenames in Russian, as well as other activity observed during incident response investigations.
Ryuk’s alleged connection to North Korea was cited in some media reports following the ransomware attack on Tribune Publishing. The basis of those reports was research from Check Point Software Technologies, which discovered Ryuk in August and noted its similarities to the Hermes ransomware. Although Hermes has been attributed to North Korean nation-state hackers known as the Lazarus Group, Check Point did not attribute Ryuk to the Lazarus Group and said other threat actors could have obtained the Hermes source code.
Cybersecurity vendor McAfee also published research last week that challenged the reports implicating North Korea in the Ryuk attacks. Based on technical evidence and dark web activity, McAfee researchers said it was likely that Russian-speaking cybercriminals, not nation-state hackers, were behind Ryuk.
Meyers said he wasn’t surprised to see reports blaming North Korea running rampant. “We’ve been telling people that Ryuk isn’t from North Korea for some time now,” he said. “A lot of times security companies will put something out, and nobody goes back and checks what it said, so it becomes gospel.”