Ryuk ransomware linked to Emotet and TrickBot trojans; suspicions shift to cyber-criminal group

News by Bradley Barth

Multiple researchers are linking the Ryuk ransomware that disrupted the operations of multiple US newspapers in late 2018 to the Emotet and TrickBot trojans.


The Chicago Tribune building (Pic: Adam Jones/Wikimedia)

Multiple researchers are linking the Ryuk ransomware that disrupted the operations of multiple US newspapers in late 2018 to the Emotet and TrickBot trojans. In so doing, some analysts have now also shifted blame for the attack from North Korean actors to cyber-criminals, possibly from Russia, while others maintain that attribution efforts are premature.

CrowdstrikeFireEyeKryptos Logic and McAfee Labs each reported this week that the 29 December attack against the Tribune Company was part of a greater cyber-criminal scheme that already has collected more than US$ 3.7 million (£2,883,563) by targeting large enterprise-environment organisations with Ryuk.

The ransomware typically arrives as the final stage in a chain of infections that starts with Emotet, which in turn yields TrickBot as a secondary payload. (However, FireEye says some organisations were instead directly infected with TrickBot.) Researchers have confirmed that the actors used phishing emails as an attack vector.

Generally, the attackers do not rely on TrickBot’s capabilities to automatically download Ryuk onto victims’ machines. Instead, they typically lay low at first, entering a latency period that lasts at least several months. Eventually, they manually resume activity, spreading laterally and performing reconnaissance via RDP connections tunneled through reverse-shells as well as via the Empire post-exploitation framework. If and when the victim looks to be a lucrative ransomware target, only then do the attackers strike with Ryuk.

FireEye refers to this operation, which dates back to August 2018, as TEMP.MixMaster, and blames the activity on an actor that Crowdstrike’s Falcon Intelligence unit refers to as Grim Spider. "Ryuk is only used by Grim Spider," the unit asserts in its report.

Grim Spider is a subgroup of Wizard Spider, which Crowdstrike’s Falcon Intelligence unit says is the same group behind TrickBot. "Falcon Intelligence has medium-high confidence that the Grim Spider threat actors are operating out of Russia," the Crowdstrike report states.

The premise that cyber-criminals, potentially operating out of Russia, are actually behind the Ryuk attacks is a change from earlier speculation that the operation was North Korea’s doing. This initial hypothesis was apparently derived from the observation that Ryuk is a modified version of Hermes, a ransomware allegedly used by North Korea’s Lazarus Group as a distraction strategy during a 2017 campaign to steal funds from a Taiwanese bank via the SWIFT banking network.

However, researchers note that the source code behind Hermes has long been available to buyers on the dark web. In fact, McAfee reported observing a Russian-speaking actor offering a Hermes 2.1 ransomware kit on an underground forum as far back as August 2017, prior to the Taiwanese bank incident.

"The most likely hypothesis in the Ryuk case is that of a cyber-crime operation developed from a tool kit offered by a Russian-speaking actor," the McAfee report concludes. "From the evidence, we see sample similarities over the past several months that indicate a tool kit is being used."

And in its own report, Kryptos Logic chimed in: "While there is no evidence suggesting that North Korea isn’t working with Emotet actors, there is also little evidence to support that they are [as opposed to] annoyingly-timed attacks by actors who decided to interrupt the holidays."

FireEye, too, said it found no evidence linking North Korea to the Ryuk attacks.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events