North Korea’s Ryuk Ransomware: the Most Profitable Ransomware in the Last Two Weeks

$640,000 in just two weeks and still counting, that is the estimated total revenue of the Ryuk ransomware that attacked various enterprise PCs in the last 14 days. With strong resemblance with Hermes ransomware which originated from the infamous Lazarus Group of North Korea, it is strongly believed that Ryuk is also the creation of the same group.

“Curiously, our research lead us to connect the nature of Ryuk’s campaign and some of its inner-workings to the HERMES ransomware, a malware commonly attributed to the notorious North Korean APT Lazarus Group, which was also used in massive targeted attacks. This leads us to believe that the current wave of targeted attacks using Ryuk may either be the work of the HERMES operators, the allegedly North Korean group, or the work of an actor who has obtained the HERMES source code,” explained a Check Point representative.

After an initial investigation of the Ryuk ransomware’s behavior, processes and modules, it was later revealed that it has more similarities to Hermes than differences. Many firms today still lack a dependable and efficient backup system, hence they are attractive targets of ransomware. Ryuk is very demanding and was made with corporations on its crosshairs, as it demands victims to pay 15 to 50 Bitcoins as a ransom, for the malware to decrypt the files.

“Unlike the common ransomware, systematically distributed via massive spam campaigns and exploit kits, Ryuk is used exclusively for tailored attacks. In fact, its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers,” said Check Point

Ryuk has two distinct targets for its payload, and it depends on the capability of the victim to pay the ransom. “Longer, well-worded and nicely phrased note, which led to the highest recorded payment of 50 BTC (around $320,000), and a shorter, more blunt note, which was sent to various other organizations and also led to some fine ransom payments ranging between 15-35 BTC (up to $224,000),” said Check Point Technology, the security consulting firm that broke the news.

The malware authors specifically ignored the browser from being infected. This is in order for the user to continue having live access to the Internet, hence enabling the user to continue the ransom payment. Different Bitcoin wallets are employed by the Ryuk ransomware, in order to evade tracking down of the money trail.

“The malware will attempt to write a dummy file to the Windows directory, which would only be allowed with Admin privileges. If the creation of the file failed, it will sleep for a while and attempt the same another five times. If failure persists beyond these attempts, Ryuk will simply terminate. If the file was successfully created, it will write two more files to a subfolder in the Windows directory. The first is a file named “PUBLIC” which contains an RSA Public key, and the second is ‘UNIQUE_ID_DO_NOT_REMOVE’ that contains a hardcoded key. Both are leveraged for the purpose of encryption,” Checkpoint representative concluded.