Friday, April 12, 2024

Ryuk Ransomware Attack on various Enterprise Network Around the World & Earned $640,000

Newly spreading Ryuk Ransomware campaign targeting various enterprise network around the globe and encrypting various data in storage, personal computers, and data center.

The attacker made over $640,000 from various victims by demanding 15 BTC to 50 BTC in order to retrieve their files and some of the organization from the U.S and other countries are severely affected by Ryuk Ransomware.

Interestingly, further analysis revealed that the Ryuk Ransomware has used some of the capabilities from HERMES ransomware which is distributed by North Korean APT Lazarus Group.

Researchers believe that Ryuk Ransomware might be another targetted campaign from Lazarus Group or malware author derived HERMES source code.

In this case, Attackers carefully pick the target and it’s intentionally built for small-scale enterprise networks and the attack carried out manually by the attackers.

Ryuk Ransomware Attack Flow

Initially, Ryuk distributed via massive spam campaigns and exploit kits and there is some specific operation such as extensive network mapping, hacking, and credential collection required before each operation.

Attackers using the same encryption logic that found in the HERMES ransomware and the similarities of the logic of the encryption process is almost the same as Ryuk.

Ryuk Ransomware kills more than 40 windows processes and stops more than 180 services by executing taskkill and net stop on a list of predefined service and process names.

Most of the services and processes are belonging to antivirus, database, backup and document editing software.

According to checkpoint Research, code injection technique holds the core functionality used by the ransomware for file encryption. It is started by decrypting a list of API function name strings using a predefined key and an array of the string lengths which is then used to dynamically load the corresponding functions.

Two different samples were discovered and the ransom notes of both versions are very similar that is sent to the victim.

“Longer, well-worded and nicely phrased note, which led to the highest recorded payment of 50 BTC (around $320,000), and a shorter, more blunt note, which was sent to various other organizations and also led to some fine ransom payments ranging between 15-35 BTC (up to $224,000).”

Once its complete all the cryptographic primitives, it encrypts every drive and network share on the victim system except the for any file or directory containing text from a hardcoded whitelist, which includes “Windows”, “Mozilla”, “Chrome”, “RecycleBin” and “Ahnlab”

This for the purpose of the victim’s web browser intact given that it may be required for reading the ransom note, purchasing cryptocurrency and so on.

Attackers using several wallets and victims need to pay the specific wallet that they received within the Ransom notes.

The researcher believes that this Ransomware attacker is completely targetted attack and specifically targeting the enterprise network.


Latest articles

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...

Taxi App Vendor Data Leak: 300K Passengers Data Exposed

Around 300,000 taxi passengers' personal information was left exposed on the internet, causing concern...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles