Does Ryuk herald the return of the ransomware threat?

News by Davey Winder

Ransomware didn't go away, it just reduced in favour of cryptomining; Ryuk's encryption scheme built for highly targeted operations enables cyber-criminals to continue to make money from this form of attack.

Researchers at Checkpoint have been tracking a new, and seemingly very successful, ransomware campaign over the last couple of weeks. Ryuk has so far encrypted hundreds of storage and data centres within enterprises across the globe and netted a none-too-shabby ransomware pot north of half a million dollars in that time.

According to the Checkpoint researchers, although the actual technical capability of Ryuk remains at the relatively simplistic level, it was enough to "severely hit" a handful of organisations; some of which were prepared to pay "an exceptionally large ransom in order to retrieve their files."

These attacks appear to have been highly targeted in nature, and there are suggestions that it might be linked to the HERMES ransomware that has previously been attributed to the North Korean 'Lazarus' group of APT actors. Current thinking is that Ryuk is either being operated by Lazarus itself, or another unknown actor that has managed to get hold of the HERMES source code.

In stark contrast to the likes of WannaCry and NotPetya, the last really big ransomware related attacks to hit the mainstream media headlines, Ryuk features an encryption scheme specifically built for highly targeted operations.

Typical of an APT campaign, the attackers will have needed to perform extensive surveillance prior to launch. Network mapping and credential collection would be required before Ryuk could be let loose, and then it seems that the infection of specific crucial assets has only been possibly with manual distribution of the malware. Hence the notion that the experienced and well-informed hand of Lazarus could be behind the campaign.

The fact that Ryuk has not been widely distributed also ties into this theory, along with every malware sample having a unique wallet for ransom payments. If a payment is made, this is then "divided and transmitted through multiple other accounts" according to Checkpoint, making it harder to follow the money trail back to the threat actors.

Although the death of ransomware has been bandied about since the WannaCry/NotPetya attacks, has this actually really been the case and is Ryuk proof of this or the start of the return of ransomware?

Kaspersky Lab UK has seen what principal security researcher, David Emm, calls "a dramatic decrease in the number of ransomware attacks in the last year." He points to data collected by the Kaspersky Security Network that shows the total number of customers who encountered ransomware fell by nearly 30 percent, from 2,581,026 in 2016-17 to 811,937 in 2017-18. Which isn't to say that ransomware is no longer a threat to business. "Since the ransom demands from targeted companies are typically higher than they are from random, speculative attacks" Emm says "it’s possible for cyber-criminals to continue to make money from this form of attack."

But nor does it mean that this is the return of ransomware as such, says Radware security researcher Daniel Smith, mainly because "ransomware technically never went away, it just fell in favour of cryptomining." Just as with cryptomining, Ryuk has been operating low and slow as a successful campaign is a quiet one. "By targeting select organisations" Smith told SC Media UK "they are able to keep a low profile and continue running the campaign for some time before being publicly exposed."

In other words, ransomware hasn’t died but has instead become more sophisticated. "The trend in targeted ransomware attacks such as SamSam, BitPaymer and Dharma is increasing" says Peter Mackenzie, global malware escalations manager at Sophos "and the damaged caused to victims is much greater than the typical fire and forget ransomware such as GandCrab." Mackenzie also points out that SamSam has made more than £4.7 million during the last 30 months, and BitPaymer US$ 1 million (£0.77 million) in the last month alone.

So, what should the enterprise be doing ensure it is ahead of the curve when it comes to mitigating the risk of the evolving ransomware threat? "Businesses need to counterbalance ransomware speed as an advantage" advises Carl Leonard, principal security analyst at Forcepoint who continues, "that means developing ways of responding to ransomware from the onset through protections that prevent infections."

As well as a good patching strategy, Leonard recommends enterprises have a plan in place for observing risks and behaviours. "They should have a programme of education, training and awareness" he told SC Media UK "and multi-layered cyber-security products that defend against the entire threat life cycle."

Raj Samani, chief scientist at McAfee, also points out that we shouldn't forget the part that increased collaboration amongst law enforcement and cyber-security vendors can have. "We see criminals collaborating, sharing tools and working together to unleash attacks and make them as lucrative as possible" Samani says, concluding, "by sharing threat intelligence and working in harmony on initiatives like NoMoreRansom, we are in a stronger position to anticipate attacks, identify cyber-trends and stay one step ahead..."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews