Over the past two weeks, there has been a new attack used by attackers. Large organizations are at risk of being exposed to the new Ryuk ransomware. Security researches speculate that the new ransomware is tied to previous operations run by a North Korean group called Lazarus. Lazarus is believed to be responsible for the attack on Sony Pictures four years ago. The source code of Ryuk is shockingly similar to the code of the Hermes ransomware that was used on the Far Eastern International Bank last year. After analyzing Ryuk’s code and the way it’s used in recent attacks, researchers believe that whoever developed Ryuk, was either involved in developing Hermes or had access to its source code.
Common ransomwares involve mass e-mail spamming campaigns. Ryuk on the other hand is used in carefully selected targets, usually on ones that have the ability to pay a higher ransom demanded by the attackers. The ransomware is designed in such a way that only crucial assets and resources are infected, and then distributed manually by the attackers on other targets over the network.
Like many, the Ryuk ransomware demands payment in Bitcoins. Their demands range from 15 to 50 Bitcoins, and the price depends on how important the data is to the target, and their ability to pay the ransom. Check Point’s researchers found out that one victim of Ryuk paid $320,000 in Bitcoin, while another paid $224,000.
Both the way they work at their cores and the nature of the attacks tie Ryuk to Hermes, arousing curiosity concerning the identity of the people behind them and the ties to the Lazarus Group. Even though the group got paid around $640,000, it is believed that the malware spread will not end there. Many more companies and organisations are at risk, and people need to be extremely careful not to open any untrusted links from e-mails or even disable Macros on Windows Office files.