Ryuk ransomware is a recent threat that has been affecting several big businesses world wide. It has been estimated that the ransomware has already gathered several US dollars in Bitcoins by infecting targeted organizations and their related infrastructures such as numerous PC, data centers and storage mediums. It was identified by security researchers that the technical capabilities of Ryuk are similar to HERMES, and it is assumed that it may be directly developed by Lazarus, the hacker group based out of North Korea who were behind Hermes. Ryuk has been found to target several organizations and asking them for a ransom ranging from 15 Bitcoin currency to 50 Bitcoin currency.
Ryuk ransomware seem to be different from other typical ransomware which use extensive spam methods and exploit kits to distribute themselves systematically. It has been designed to target specific small-scale organizations as its encryption scheme facilitates that purpose. The attackers manually distribute and infect the systems so that only the important resource and assets get infected for each targeted network. This process can only be carried out when there has previously been an extensive network mapping, gathering of credentials and breaking into the networks before each operation.
Ryuk ransomware has been identified to be sending two ransom notes, one long and other short, following its attack. The longer one has been crafted to politely inform users about the attack. It mentions that the attack was carried out to exploit the vulnerabilities that were already present and affected users should be glad that their data has been encrypted by professional cyber criminals who can provide a solution in form of decoder that will restore all the files. The note mentions that the files have been encrypted by RSA 4096 and AES 256 algorithms. The ransom amount has not been specified although affected users are urged to contact the threat actors soon to get a quote and the instructions to receive the decoder, or else the ransom money will keep escalating. The note also specifies that users will be informed to prevent such attacks in future and will be provided with a special software that will not allow the targeted system to get hacked easily. It mentions a deadline of 2 weeks following which all the files within the system will be deleted. The Bitcoin wallet address is mentioned before the signature of Ryuk with a tagline, ‘no system is safe’. The shorter form of ransom note only mentions that all files have been encrypted along with the backup options and shadow copies. It gives out the contact details followed by wallet address and the same signature.
Ryuk ransomware and its similarity to HERMES ransomware cannot be mistaken as they share the same source code. Ryuk follows the same encryption logic as that of HERMES and the markers placed within the encrypted files are also same. Both of them seem to leave files contained within folders such as ‘Ahnlab’, ‘Microsoft’, ‘Recycle Bin’ from getting encrypted. They also share the same path for deleting shadow volume copies and the backup files. Ryuk also seems to drop the same files on the disk to carryout its operation across targeted system.
Ryuk achieves persistence by making changes to Run registry. It also leaves file directories related to ‘Windows’, ‘Mozilla’ and ‘Chrome’ intact to let the users read ransom note and browse Internet to transact cryptocurrency. The ransomware has been found to divert funds through various digital wallets. Based on the attack carried out by Ryuk ransomware it could be concluded that enterprises which can pay large sum of money are on its target list and the number of victims will keep on adding.