Ryuk Ransomware: A brief look into the ransomware’s origin and its high-profile attacks

  • The group operating Ryuk ransomware has earned over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.
  • Code similarities between Ryuk and Hermes reveal that Ryuk was derived from the Hermes source code.

Ryuk ransomware was first spotted in August 2018 and is distributed via high-profile attacks. Ryuk has only been used to target enterprise environments. The GRIM SPIDER hacker group is believed to be operating the Ryuk ransomware. Since its appearance in August, the group operating it has earned over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.

Ryuk’s capabilities

  • Ryuk ransomware is capable of shutting down over 40 processes and around 180 services, including antivirus, backup, and other programs.
  • The ransomware is also capable of destroying its encryption key and deleting all the shadow copies of the various backup files on a targeted machine.

Similarities between Ryuk and Hermes

Code similarities between Ryuk and Hermes reveal that Ryuk was derived from the Hermes source code and has been under steady development since its first appearance.

A modified version of Hermes, dubbed Ryuk, made an appearance in mid-August 2018. Hermes and Ryuk target files in a similar manner. The similarities between both the ransomware include

  • Both Hermes and Ryuk encrypt files using RSA-2048 and AES-256.
  • Both ransomware stores keys in the executable using the proprietary Microsoft SIMPLEBLOB format.
  • Both encrypts mounted devices and remote hosts.
  • Both use a file marker of HERMES to mark or check if a file has been encrypted.

Differences between Ryuk and Hermes

Unlike Hermes, Ryuk was tailored to target only enterprise environments and some of the modifications include removing anti-analysis checks. The core differences are:

  • Ryuk’s logic that handles file access, and the use of a second, embedded public RSA key.
  • Another significant difference between Hermes and Ryuk is how the encryption keys are created.

The link between Ryuk and TrickBot

Researchers noted Ryuk ransomware to be working with another threat group ‘GRIM SPIDER’ which is behind TrickBot. They tracked a financially-motivated activity ‘TEMP.MixMaster’ which involved attackers using the Ryuk ransomware associated with TrickBot infections. Researchers also observed a malspam campaign distributing Ryuk. It is to be noted that TrickBot is distributed through massive spam campaigns.

Ryuk attacks

In August 2018, Ryuk made its first appearance infecting various organizations across the globe by encrypting hundreds of PCs, storage and data centers in each infected company. At least three global organizations in the US and elsewhere including a medical equipment firm Tim Otis are believed to have been “severely hit” by the ransomware.

In October 2018, a major Canadian restaurant chain, Recipe Unlimited, was hit by Ryuk attack affecting operations at its restaurants including brands Swiss Chalet, Harvey’s, Milestones, Kelseys, Montana’s, Bier Markt, and East Side Mario’s. The attackers behind the attack asked the restaurant chain to pay ransom in bitcoin in order to retrieve the data.

In December 2018, several major newspapers in the US including Los Angeles Times, New York Times, Wall Street Journal, were hit by a massive cyberattack, as a result of which printing and distribution of newspapers were delayed. The cybercriminals behind the attack were suspected to have used the Ryuk Ransomware.

Cloud hosting provider suffered a ransomware attack on Christmas Eve. The attackers exploited a compromised login account on Christmas Eve and infected its servers with the Ryuk ransomware. The Ryuk attack on its computers led the company to shut down its network in order to curtail the spread of the infection and to work through the process of restoring infected systems.