Organizations start facing the cruelty of Ryuk ransomware

by Lucia Danes - - 2018-08-22

Ryuk ransomware starts its attacks. Victims are demanded a 50 BTC ransom

Several organizations face the cruelty of Ryuk ransomware Numerous companies have been attacked by the Ryuk ransomware which appears to be very familiar to Hermes cryptovirus

First spotted on August 13th, Ryuk ransomware^[1] has already managed to attack numerous enterprises and businesses by encrypting entire networks. According to research, at least three companies, which are located in the USA and Germany, faced the consequences of this ransomware-type virus.

Taking about the ransom which was demanded by the cybercriminals who are behind this dangerous cyber threat, it ranges from 15 to 50 BTC. No matter how actively cybersecurity experts urge users not to pay, some organizations managed to pay the demanded price to recover their corrupted valuable documents. The crooks have already gained around $640,000 in revenue from their victims^[2].

The relation between Ryuk and other ransomware viruses

IT researchers believe that Ryuk is closely related to the HERMES ransomware^[3] which relies on a very similar operating principle. This infamous cryptovirus was spotted for the first time in February 2017 and had been actively attacking various companies worldwide for almost a year. It is known for attacking an International Bank in Taiwan and helping its developers steal around $60 million.

This virus used a specific encryption code which is very familiar to the one used by Ryuk ransomware. We can come to a conclusion that the crook who created Ryuk was possessed about HERMES ransomware and managed to carry out a very similar operating technique. Having in mind that HERMES virus was found to be related to an infamous Lazarus Group located in North Korean, so there is a huge possibility that Ryuk is the work of the same group of cybercriminals.

Nevertheless, it seems like Ryuk is not related to HERMES only and is rather a mixture of two other dangerous viruses. Its ransom note RyukReadMe.txt is almost identical to the one used by another infamous ransomware called BitPaymer. This cryptovirus was launched in July 2017. After encrypting users' files, it has been appending either .locked or .LOCK file extensions.

A closer look at Ryuk

According to researchers from the CheckPoint^[4], Ryuk ransomware-type virus was designed to carry out small operations which include attacking only particular resources while it is spread manually by the cybercriminals. This virus produces two ransom note versions:^[5] one is a well-written message with lots of details and urging its victims to pay 50 Bitcoin as the ransom, the other is quite shorter and is asking around 15-35 TC. However, both of these messages have threatened various users and have already generated financial success for the cyber crooks.

Once installed, Ryuk creates a strange-looking file to begin its hazardous activity. Such a file can be placed in different directories which depend on the type of victim's Windows version. If it's Windows XP or Windows 2000, the random file can be located in \\Documents and Settings\\Default User\\ subfolder. Otherwise, the hazardous file is generated in \\users\\Public\\ section. Nevertheless, cybercrooks can also drop malware's files in their own chosen directories if the automatic creation is found to be corrupted or does not succeed in some way.

After the process is finished, the payload of Ryuk ransomware is launched by the ShellExecuteW command, and the damaging activity begins. Furthermore, Ryuk ransomware can stop numerous processes and interrupt various services by carrying out net stop and taskkill commands. Sadly, it kills processes which are related to the antivirus program, backups, and other important software.

This dangerous virus is using AES and RSA algorithms to encrypt important data. All secret keys are stored on remote servers and kept in reach only for the cybercrooks that use these ciphers to lock up various documents.

To conclude

Nowadays, numerous ransomware attacks are being launched frequently. Some of them target various organizations worldwide, while others affect regular users. Even though if you do not have a big company, you still can get infected by ransomware if you use a PC or laptop. You should perform all prevention methods that are possible to keep your computer and valuable documents safe.

Taking about files, you should store copies on an external device such as a USB drive. This way you will prevent file corruption and avoid data losses in the future. Furthermore, you should get a strong antivirus program an run a full system scan on your computer regularly. Make sure you install a trustworthy security tool and perform the recommended updates once in a while.

About the author

Lucia Danes - Virus researcher

Lucia is a News Editor for 2spyware. She has a long experience working in malware and technology fields.

Contact Lucia Danes
About the company Esolutions

References

^ Jake Doevan. 2-Spyware news. 2Spyware. Virus removal guides and spyware news.
^ Tara Seals. Threatpost.com. Threatpost. An independent news site which is a leading source of information about IT and business security.
^ Rick D.. Newsbtc.com. News BTC. A news service that covers bitcoin news, technical analysis & forecasts for bitcoin and other altcoins.
^ CheckPoint.com. Check Point. Software technologies .
^ Liam Tung. CSO.com. CSO. Daily collection of security-related news, product updates, and commentary from IDG Enterprise news sources.