Ryuk ransomware has been in the gist of things in recent times as far as Cybersecurity is concerned. The ransomware not only created quite a stir among the security researchers, but it also turned out to be quite profitable to its operators. According to Security researchers of Crowdstrike and FireEye, Ryuk ransomware amassed a whopping $4million net-worth of Bitcoin spread across 52 payments. The numbers are quite impressive indicating the colossal damage that it caused to organisations.
Initial confusions regarding the creators of malicious malware have been clarified with the emergence of the latest evidence. Earlier, it was believed that Ryuk software created by the State create North Korean hackers, but now it seems Russian cybercrime group “Grim Spider” are the chief culprits. It was confirmed based on the Internet addresses and also on the usage of occasional language reference. The grim spider seems to have brought a version of Hermes ransomware from the hacking forums. They then modified the ransomware to fit their requirements which led to the origin of Ryuk ransomware.
The North Korean Hackers have deployed a similar version of Ryuk malware on the network of Far Eastern International Bank (FIEB). The operators employed a clever tactic to locate large enterprises and later demanded hefty ransoms in return. Unlike the routine modes of infection, the Ryuk ransomware includes and sequential mode and does not target all the possible victims en masse. According to CrowdStrike and FireEye, the ransomware infects initially infects thousands of systems with a powerful trojan dubbed Trickbot. After identifying potential systems belonging to large enterprises or government organisations capable of paying hefty sums, they infect the systems with a separate malware “Ryuk”. However infected computers of smaller organisations of enterprises or organisations are not subjected to the follow-on attack.
The method is synonymous with Samsam malware that infected the systems of Atlanta city inflicted $30 million in damages. Ryuk demands ransom depending on the customer and may vary anywhere between 1.7BTC to 99BTC. The operators keep a close watch on the Bitcoin transactions of hacked Ryuk infected systems and demand accordingly. Gone are the days, when lone hackers create trojans and run individual ransomware operations. The current case represents a broader picture, wherein the cybercriminals are operating as a group thereby inflicting major damages.