Cybersecurity researchers are doing their best to find the mastermind behind the Ryuk ransomware, but for now, they have no joy.
It all started with a Ryuk cyberattack that badly affected newspapers owned by Tribune Publishing, including the Chicago Tribune and Baltimore Sun, as well as the Los Angeles Times. The cyber attack managed to disrupt the timeliness and, the completeness of printed papers.
At first, the cyber attack was linked to this particular Ryuk campaign and to the Hermes ransomware – a malware commonly used by the North Korean APT Lazarus Group.
Ryuk is a special kind of ransomware because is only used for tailored attacks and its encryption scheme is purposefully built for small-scale operations.
For now, no one knows if North Korea is behind the Tribune campaign
In order to find who has launched the Ryuk campaign, researchers must first look in the past and compare Ryuk’s code with older Hermes ransomware.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
The malware Hermes 2.1. was first used in October 2017 when it affected a Taiwanese bank.
At the time the bank incident didn’t receive so much attention, but when the North Korean attribution was investigated for the recent Ryuk campaign, researchers found an underground forum where a Russian-speaking hacker was selling Hermes 2.1.
During a malware analysis done on the threat, it was found that the bad digital good is, in fact, a regular cybercrime kit from which you can build all you need for a full cyber attack.
Interesting is the fact that while most nation-state hacker groups tend to build and use cyber attacks they developed, as Lazarus typically does; this time probability Lazarus bought this kit to use as a distraction. Which makes sense if you want to make distractions, or want to create a false flag.
Given Hermes 2.1 went on sale long before the bank heist in Oct. 2017, several people could have purchased and altered it, he continues. “We’ve shown that it’s for sale, anyone with skill and money could buy this,” says Fokker. “It opens to a wide variety of potential actors.”
It was also found that Ryuk and Hermes 2.1 are generally equal. In fact, they’re almost identical. If you are changing the name of Hermes, and implement another a ransom note you got Ryuk.
The Hermes 2.1 kit is not a service which translates in that whoever buys it would still need to set up a distribution method and infrastructure to make it work.
Meaning that hackers first do reconnaissance on the victim to find out if the victim is interesting and if they have money to pay up, which is less opportunistic, and more targeted.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.