Research Suggests Russian-Based Hackers Behind Ryuk Ransomware's $2.5 Million Gains

Published on by Cointele | Published on

A recent spate of ransomware attacks estimated to have earned hackers 705.08 Bitcoin likely came from Russian cybercriminals, not North Korean state-sponsored actors as initially thought.

Hard Fork cites evidence from cybersecurity research teams McAfee Labs and Crowdstrike, which have analyzed the strategies used in developing and disseminating the Ryuk ransomware strain, and concluded that the identity and motivations of its masterminds have most likely until now been misreported.

The Ryuk campaign notably attracted wide attention following its targeting of major United States media group Tribune Publishing over Christmas.

As McAfee notes, Ryuk is a fictional manga character who spreads lethal death notes as an evil distraction from his own boredom - an analogy for the ransom notes reported to have accompanied Ryuk once the ransomware had encrypted victims' drives.

Ryuk was reportedly initially spread via a banking Trojan dubbed TrickBot, which was concealed in email spam sent to tens of thousands of victims, with the attackers then reported to have graduated to targeting select larger enterprises.

The allegedly mistaken attribution to North Korea appears to have been spurred by code similarities between Ryuk and Hermes - a ransomware that was previously allegedly used by North Korean state actors as an intrigue to distract from a compromise of the SWIFT network of the Far Eastern International Bank in Taiwan.

Crowdstrike, and others argue, Ryuk is likely a modified version of Hermes 2.1., which was available as a commodity malware kit for sale in underground forums.

"With the recent decline in BTC to USD value, it is likely GRIM SPIDER has netted more."

Crowdstrike further claims that GRIM SPIDER is a cell of e-criminals that forms part of the larger threat group WIZARD SPIDER, identified as the Russia-based operator of the TrickBot banking malware.

In a report published last October, cybercrime firm Group-IB identified the allegedly North Korean state-sponsored hacker group Lazarus as responsible for $571 million of the $882 million total in cryptocurrencies that was stolen from online exchanges during from 2017 to 18..

x