Ryuk Ransomware – Too Early to Predict The Actors

Ryuk, which made its debut in August 2018, is different from other ransomware, not because of its capabilities, but because of the way it infects systems.

According to Kelly Sheridan in her article on InformationWeek. Ryuk was not much active across the globe, only three organizations were hit with Ryuk infections over the course of the first two months of its operations, landing the attackers about $640,000 in ransom for their efforts.

Security researchers linked Ryuk ransomware to a specific attacker. Some suggested North Korea is behind the outbreak, a decision some experts say could be a hasty one.

Last week a cyber attack caused problems for newspapers owned by Tribune Publishing, including the Chicago Tribune and Baltimore Sun, as well as the Los Angeles Times. The issue affected the timeliness and, in some cases, the completeness of printed papers. At the time, people attributed it to Ryuk ransomware.

Some parties, including Check Point Research, connected this to the Hermes ransomware – a kind of malware linked to the North Korean APT Lazarus Group. They say, Ryuk, unlike most ransomware, is only used for tailored attacks and its encryption scheme is purposefully built for small-scale operations.

Nevertheless, “who was behind the Tribune attack? Not, North Korea” said McAfee Labs experts.

Experts looked at past research comparing Ryuk’s code to determine who the mastermind, with older Hermes ransomware. In October 2017, McAfee Labs investigated an attack on a Taiwanese bank and found the malware used was Hermes 2.1.

John Fokker, head of cyber investigations for McAfee Advanced Threat Research, said McAfee didn’t do much digging into the ransomware itself when it was investigating North Korean attribution for the recent Ryuk campaign, they found an Aug. 2017 posting in an underground forum where a Russian-speaking actor was selling Hermes 2.1.

“It looks like a regular cybercrime kit you can buy and perhaps tweak to your liking,” he explains. “If we backtrack to the investigation, there’s a probability Lazarus bought this kit to use as a distraction.”

While most nation-state groups tend to build and use attacks they developed, as Lazarus typically does, it wouldn’t be out of the question for a group to purchase malware that would serve as a diversion. “It makes sense if you want to go for distractions, or want to create a false flag, you might go out and buy something,” Fokker adds, saying it’s a likely hypothesis.

Given Hermes 2.1 bank heist in Oct. 2017, several people could have purchased and altered it, he continues. “We’ve shown that it’s for sale, anyone with skill and money could buy this,” says Fokker. “It opens to a wide variety of potential actors.”

McAfee Labs says Ryuk and Hermes 2.1 are generally equal. “There is a very high overlap,” he continues. “They’re almost identical.” If changing the name, and implementing a ransom note, are both parts of the “fine-tuning” process involved with editing Hermes 2.1 into a slightly different threat, then Ryuk is likely an edited version of it, researchers explain.

Who Did This?

McAfee Labs suggests that Ryuk case is that of a cybercriminal operation developed from a toolkit offered by a Russian-speaking actor. Evidence shows sample similarities, which indicate a toolkit is being used. Researchers don’t currently know who is responsible.

The author and seller of Hermes 2.1 advertise a kit, and whoever bought it would need to set up a distribution method to make it work, McAfee Labs researchers explain in a blog post. The attacker has a skill in targeting- Fokker also predicts

“They’re doing reconnaissance on the victim to find out if the victim is interesting and if they have money to pay up,” he says. “It’s less opportunistic and more targeted. That shows to me a certain level of skill – not necessarily technical skill, but a skill that you can find your victim and select them.” If it’s not North Korea, it could also be a well-organized criminal group.

Fokker also points to general problems with attribution. Its understandable experts want to attribute an attack, he says, but oftentimes the process for doing so is flawed – especially when it comes to linking incidents with state-sponsored actors.

“There is a strong movement toward the ‘who’,” he says. “Everyone wants to figure out who is responsible, but you often don’t have all the pieces to the puzzle.”

McAfee Labs’ approach is to analyze competing hypotheses, researchers say. An investigation involves several views, comparing different pieces of evidence to support each hypothesis, and also finding evidence that falsifies hypotheses. This method ensures the strongest hypothesis is not the one with the most verified evidence, but the one with the least falsifying evidence.