Researchers at Crowdstrike, FireEye, Kryptos Logic, and McAfee are all reporting that ransomware known as Ryuk is, in fact, being proliferated by professional hack groups in Russia, and not by North Koreans, ZDNet reports.
According to the outlet:
“The era of individual ransomware operations appears to be ending, with fewer and fewer ransomware strains being developed and distributed by lone hackers. Ransomware is slowly becoming the perquisite of top tier cyber-criminal organizations.” [emphasis added]
Ryuk ransomware was reportedly used over Christmas to disrupt the printing of numerous American newspapers owned and formerly-owned by Tribune Publishing.
According to a December 30th, 2018 ZDNet article about that attack, Ryuk ransomware appears was used to lock up systems and cause procedural interruptions at the papers, resulting in:
“The print editions of the Chicago Tribune, Lake County News-Sun, Post-Tribune, Hartford Courant, Baltimore Sun, Capital Gazette, and Carroll County Times…(being) published Saturday without paid death notices and classified ads, according to the Chicago Tribune, Hartford Courant, and Baltimore Sun.”
“Slimmed down” weekend editions of three other papers also had to be published a day late, presumably because ransomware prevented employees from being able to access needed files.
Ransomware attacks, says ZDNet, are typically distributed via phishing emails containing infectious links.
It is important to note that those attachments are sometimes hidden, and a targeted individual may open an unknown email, because there is no indication it contains an attachment.
The publication claims that these phishing emails are now being issued in a wide swath and indiscriminately, with promising infections followed-up on, after the fact:
“Experts believe TrickBot operators use large spam campaigns to infect tens of thousands of victims, and then they select the infected computers they believe are on the networks of large companies or government organizations and deploy Ryuk to maximize profits.”
Once a system is locked by ransomware, cryptocurrency ransoms are frequently demanded.
Crowdfund Insider reporters, too, may have been recently hit by a phishing attack deployed via hidden attachment.
ZDNet says the phishing emails used to attack the Tribune publications are being widely distributed by a criminal group in Russia called Grim Spider:
“…(which) appears to have bought a version of the Hermes ransomware from a hacking forum, and modified it to their own requirements into what now is known as the Ryuk ransomware.”
North Korea was originally implicated because North Korean hackers once used a version of the Hermes ransomware to execute a ransomware attack on the Far Eastern International Bank in Taiwan in October 2017.
But they are no longer believed responsible for the Christmas hacks on the American newspaper chain.
According to ZDNet:
“Researchers believe North Korean hackers bought the same Hermes ransomware kit from hacking forums, like the Grim Spider group, and deployed it on the bank’s network as a distraction and to cover the tracks of their cyber-heist, and that there is no connection between the Pyongyang regime’s hackers and the Ryuk ransomware strain.”
ZDNet also reports that researchers at Crowdstrike believe, “Grim Spider (the Ryuk ransomware gang) appears to be a sub-division of a larger cyber-criminal operation that they have been tracking as Wizard Spider, which they say is responsible for creating the TrickBot banking trojan.”
According to researchers at Insikt Group, North Korea has used ransomware, cryptocurrency thefts and fraudulent ICOs (initial coin offerings) to fund its regime.
If that is the case, other regimes may be doing so as well, including Russia (linked article does not claim this but does describe some of that country’s cybercrime priorities).
According to Hard Fork, a “cunning scheme” being circulated by Russian-speaking hackers on the Dark Net currently is a “malware-as-a-service” affiliate program that allows participants to collectively deploy and profit off of cryptocurrency ransomware.
Notably, says Hard Fork, “the hackers forbid affiliate partners from targeting a bunch of countries from the former Soviet bloc; the list includes: Armenia, Azerbaijan, Belarus, Estonia, Georgia, Kyrgyzstan, Kazakhstan, Lithuania, Latvia, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan.”