The Ryuk ransomware is most likely the creation of Russian financially-motivated cyber-criminals, and not North Korean state-sponsored hackers, according to reports published this week by four cyber-security firms --Crowdstrike, FireEye, Kryptos Logic, and McAfee.
These companies published these reports this week after several news outlets incorrectly attributed a Ryuk ransomware infection at a major US news media group that took place over the Christmas holiday on North Korean hackers.
However, evidence suggests that the ransomware was created by a criminal group that Crowdstrike calls Grim Spider, who appears to have bought a version of the Hermes ransomware from a hacking forum, and modified it to their own requirements into what now is known as the Ryuk ransomware.
The confusion comes from the fact that North Korean state hackers deployed a version of the Hermes ransomware on the network of the Far Eastern International Bank (FEIB) in Taiwan after carrying out a hack in October 2017.
Researchers believe North Korean hackers bought the same Hermes ransomware kit from hacking forums, like the Grim Spider group, and deployed it on the bank's network as a distraction and to cover the tracks of their cyber-heist, and that there is no connection between the Pyongyang regime's hackers and the Ryuk ransomware strain.
On the contrary, CrowdStrike says Grim Spider (the Ryuk ransomware gang) appears to be a sub-division of a larger cyber-criminal operation that they have been tracking as Wizard Spider, which they say is responsible for creating the TrickBot banking trojan.
Crowdstrike, Kryptos Logic, and FireEye say that multiple Ryuk ransomware victims were first infected with the TrickBot malware before the ransomware was deployed on their systems.
Experts believe TrickBot operators use large spam campaigns to infect tens of thousands of victims, and then they select the infected computers they believe are on the networks of large companies or government organizations and deploy Ryuk to maximize profits.
In another scenario, Crowdstrike and Kryptos Logic say they've seen the TrickBot group renting installations from the authors of the Emotet malware, deploying TrickBot, and later also selecting the biggest fish for Ryuk ransomware infections.
Image: Kryptos Logic
A ransomware group selecting high-profile targets for extortion isn't a novel technique. Before Ryuk, the operators of the SamSam and BitPaymer ransomware strains have done the same.
The difference is that SamSam and BitPaymer operators appear to have used brute-force attacks or compromised credentials for companies' RDP (Remote Desktop Protocol) endpoints, while the Ryuk team uses commodity malware like TrickBot and Emotet for the initial foothold inside a company.
And business has been booming, according to Crowdstrike's team.
"Since Ryuk's appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD," researchers said.
After observing transactions to known Ryuk Bitcoin addresses, researchers said that ransom demands vary significantly. They say this suggests that Ryuk operators are scouting victims' networks and deciding on different ransom fees for each victim
"With 52 known transactions spread across 37 BTC addresses [...] to date, the lowest observed ransom was for 1.7 BTC and the highest was for 99 BTC," Crowdstrike said.
The era of individual ransomware operations appears to be ending, with fewer and fewer ransomware strains being developed and distributed by lone hackers. Ransomware is slowly becoming the perquisite of top tier cyber-criminal organizations.