Monday, January 20, 2025
HomeComputer SecurityRyuk Ransomware Attack on various Enterprise Network Around the World & Earned...

Ryuk Ransomware Attack on various Enterprise Network Around the World & Earned $640,000

Published on

SIEM as a Service

Follow Us on Google News

Newly spreading Ryuk Ransomware campaign targeting various enterprise network around the globe and encrypting various data in storage, personal computers, and data center.

The attacker made over $640,000 from various victims by demanding 15 BTC to 50 BTC in order to retrieve their files and some of the organization from the U.S and other countries are severely affected by Ryuk Ransomware.

Interestingly, further analysis revealed that the Ryuk Ransomware has used some of the capabilities from HERMES ransomware which is distributed by North Korean APT Lazarus Group.

Researchers believe that Ryuk Ransomware might be another targetted campaign from Lazarus Group or malware author derived HERMES source code.

In this case, Attackers carefully pick the target and it’s intentionally built for small-scale enterprise networks and the attack carried out manually by the attackers.

Ryuk Ransomware Attack Flow

Initially, Ryuk distributed via massive spam campaigns and exploit kits and there is some specific operation such as extensive network mapping, hacking, and credential collection required before each operation.

Attackers using the same encryption logic that found in the HERMES ransomware and the similarities of the logic of the encryption process is almost the same as Ryuk.

Ryuk Ransomware kills more than 40 windows processes and stops more than 180 services by executing taskkill and net stop on a list of predefined service and process names.

Most of the services and processes are belonging to antivirus, database, backup and document editing software.

According to checkpoint Research, code injection technique holds the core functionality used by the ransomware for file encryption. It is started by decrypting a list of API function name strings using a predefined key and an array of the string lengths which is then used to dynamically load the corresponding functions.

Two different samples were discovered and the ransom notes of both versions are very similar that is sent to the victim.

“Longer, well-worded and nicely phrased note, which led to the highest recorded payment of 50 BTC (around $320,000), and a shorter, more blunt note, which was sent to various other organizations and also led to some fine ransom payments ranging between 15-35 BTC (up to $224,000).”

Once its complete all the cryptographic primitives, it encrypts every drive and network share on the victim system except the for any file or directory containing text from a hardcoded whitelist, which includes “Windows”, “Mozilla”, “Chrome”, “RecycleBin” and “Ahnlab”

This for the purpose of the victim’s web browser intact given that it may be required for reading the ransom note, purchasing cryptocurrency and so on.

Attackers using several wallets and victims need to pay the specific wallet that they received within the Ransom notes.

The researcher believes that this Ransomware attacker is completely targetted attack and specifically targeting the enterprise network.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Multiple Azure DevOps Vulnerabilities Let Inject CRLF Queries & Rebind DNS

Researchers uncovered several significant vulnerabilities within Azure DevOps, specifically focusing on potential Server-Side Request...

Hackers Weaponize npm Packages To Steal Solana Private Keys Via Gmail

Socket’s threat research team has identified a series of malicious npm packages specifically designed...

Hackers Weaponize MSI Packages & PNG Files to Deliver Multi-stage Malware

Researchers have reported a series of sophisticated cyber attacks aimed at organizations in Chinese-speaking...

New IoT Botnet Launching Large-Scale DDoS attacks Hijacking IoT Devices

Large-scale DDoS attack commands sent from an IoT botnet's C&C server targeting Japan and...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

FunkSec Ransomware Dominating Ransomware Attacks, Compromised 85 Victims In December

FunkSec is a RaaS operator that makes use of artificial intelligence and demonstrates how...

New NonEuclid RAT Evades Antivirus and Encrypts Critical Files

A NonEuclid sophisticated C# Remote Access Trojan (RAT) designed for the.NET Framework 4.8 has...

New Great Morpheus Hacker Group Claims Hacking Into Arrotex Pharmaceuticals And PUS GmbH

A Data Leak Site (DLS) belonging to a new extortion group named Morpheus, which...