Faulty Decryptor Often Shreds Victims’ Data, McAfee and Coveware Warn
Stop me if you’ve heard this one before: A rush to attribute an online attack to nation-state actors was not only hasty but likely inaccurate. Instead, multiple information security researchers say all evidence points not to online espionage teams but financially motivated cybercriminals operating from Eastern Europe.
The incident in question was a late-December 2018 ransomware infection that hit Chicago-based Tribune Publishing, leading to a disruption in printing all of its newspapers, as well as the distribution of west coast editions of The New York Times and The Wall Street Journal (see Suspected Ransomware Outbreak Disrupts US Newspapers).
Various Tribune newspapers, including the Chicago Tribune and Los Angeles Times, reported that the outbreak involved crypto-locking Ryuk ransomware, which appears to be based on Hermes ransomware.
But there’s continued, mounting evidence that multiple cybercrime groups, not nation-states, are behind Ryuk.
Here are 11 notable Ryuk takeaways:
1) Ryuk Attacks Continue
Whoever is using Ryuk to attack organizations isn’t letting up.
“Distribution of Ryuk ransomware has proliferated in the last 90 days,” ransomware incident response firm Coveware CEO Bill Siegel tells Information Security Media Group. “It is quite common for small businesses to be attacked and extorted for small amounts, and very large businesses to be attacked and extorted for larger amounts. Our research with McAfee indicates that its is being distributed by multiple groups.”
But who’s behind the ransomware?
2) Hermes No Smoking Gun
Last August, a report by Check Point Software into Ryuk said it appeared to share code with Hermes ransomware, which may be tied to the North Korean APT Lazarus Group. But Check Point emphasized that the code reuse proved nothing. In addition, it also said that multiple Ryuk ransom notes with different ransom demands suggested that multiple groups might be using the ransomware.
Following the Tribune infection in December 2018, many information security experts cautioned against leaping to any conclusions based on code reuse, saying it proves nothing.
“Code similarities are insufficient to conclude North Korea is behind Ryuk attacks, as the Hermes ransomware kit was also advertised for sale in the underground community at one time,” security firm FireEye cautioned last month.
Nevertheless, in the Tribune ransomware outbreak incident, multiple media outlets referenced Ryuk’s reuse of Hermes code as evidence that the Democratic People’s Republic of Korea had hacked America’s newspapers (see Stop the Presses: Don’t Rush Tribune Ransomware Attribution).
3) Cybercrime Concern
All available evidence, however, shows that DPRK operatives are the least likely suspects behind Ryuk, according to researchers from Coveware and security firm McAfee.
Rather, multiple cybercrime gangs with Anti-Western motivations, operating from Eastern Europe, are the most likely culprits, McAfee’s John Fokker and Alexandre Mundo, and Coveware’s Bill Siegel and Alex Holdtman, say in a blog post.
4) Ryuk Makes Victims Pay
Attackers who wield Ryuk make the biggest ransom demands, on average, compared to almost every other ransomware strain.
Coveware says Ryuk’s ransom demands are 10 times the average, and that for victims who engage with attackers, “some Ryuk ransoms were highly negotiable, while others were not.”
The average opening demand from Ryuk attackers was to be paid $145,000, although victims could often negotiate that down by about 60 percent, to an average of $71,000, Coveware says. But some negotiations – which were typically blunt, involving 10 words or less, and which opened with demands for more than 100 bitcoins ($390,000 or more) – led to no reductions. Coveware says that three businesses that it worked with were forced to close when they could not afford to pay, and had no working backups from which to restore. While the public/private No More Ransom project offers free decryptors for about 100 strains of ransomware, Ryuk is not one of them.
“Because of the extremely high ransom demands, and highly problematic decryption tool, a Ryuk attack can be fatal to a business that is intolerant of downtime, and does not have easily restored backups,” Coveware’s Siegel says.
5) Lucrative Concern
By targeting businesses and demanding sky-high ransoms, it’s no surprise that Ryuk has been raking in bitcoins. Security firm Crowdstrike in January said Ryuk ransoms had netted 705.8 bitcoins across 52 separate transactions, enriching attackers by $3.7 million.
“Ryuk is derived from the source code of Hermes ransomware, but it has been modified to target large enterprises,” Crowdstrike says in its 2019 Global Threat Report, released Tuesday.
CrowdStrike, however, says it believes Ryuk is used solely by one “ecrime” group, which it calls Grim Spider.
6) Multiple Ransom Notes
If the code comes in part from Hermes, the Ryuk ransom note seems to be mostly a cut-and-paste job from the BitPayer ransom note, the McAfee and Coveware researchers say (see Scottish Hospitals Hit by Bitpaymer Ransomware).
This doesn’t mean there’s a link between BitPaymer and Ryuk, but rather shows that cybercriminals will often borrow from others instead of creating something from scratch.
Also, there are at least two Ryuk ransom notes in circulation, suggesting that multiple groups might be using the ransomware.
7) Two Schools of Thought
Indeed, the McAfee and Coveware researchers say there appear to be at least two Ryuk-using groups at work, one of which seeks large windfalls, often demanding 100 bitcoins ($390,000 or more) and never offering a discount, even if it drives a victim to bankruptcy.
In other cases, however, the attackers behind Ryuk seemed “keen to monetize every attack and accept lower amounts to ensure payment,” they write.
“It would appear that Ryuk has [at least] two groups which have closer affinity than we would see in a typical as-a-service-based campaign” – such as GandCrab ransomware – Raj Samani, chief scientist at McAfee, says in a blog post for Help Net Security. But it’s not clear what that might mean – for example, if the groups are connected, co-subscribers or have some other relationship.
Crowdstrike didn’t immediately respond to a request for comment on the assertion that two or more Ryuk-using groups may now be at work.
8) Double-Trouble With TrickBot
More evidence of cybercrime shenanigans: In January, security firm FireEye reported that some Trickbot banking Trojan infections were also installing Ryuk ransomware, meaning that it appeared to be used in attacks with a strong financial motive.
Trickbot, in turn, appeared to be getting dropped by Emotet malware. “Ryuk infections are seldom, if ever, dropped directly by Emotet, security firm Kryptos Logic reported in January. “When the Ryuk module is delivered to a victim, it is done transiently through a Trickbot infection and other tools, not the original Emotet bot.”
9) Post-Soviet Philosophy
Another intriguing finding via McAfee and Coveware is that one Ryuk attacker’s reply during an ongoing negotiation referred to cybercrime attacks against western organizations as à la guerre comme à la guerre – a Machiavellian French phrase from the 17th century that equates to “all is fair in love and war.”
The French phrase features in the collected works of the founder of the Russian Communist Party – aka the Bolsheviks – and later Soviet Union leader Vladimir Lenin. McAfee notes that cybercriminals operating from the former Soviet Republics in Eastern Europe often espouse to find nothing wrong with targeting the capitalist West. “This expression may be a clear indicator of the origin and cultural view of the criminals behind Ryuk,” the McAfee researchers say.
Another clue to attackers’ identity: Crowdstrike in January reported that Ryuk only infects systems provided that “the host language is not Russian, Ukrainian or Belarusian.”
10) More Evidence of Ties to Hermes
McAfee and Coveware say that unlike some other ransomware attackers, Ryuk operators typically will provide a decryptor to victims who pay.
“When victims do pay the exorbitant ransom amount, the criminals will provide a decryptor to unlock their files,” the researchers say. “This decryptor is actually framework that needs to be loaded with a victim’s private RSA key, provided by the criminals, in order to decrypt.” This approach gives criminals a way to ensure the decryptor only works for any given victim, while making it easy for attackers to provision.
During decryption, McAfee says that the decryptor searches for a file marker string – “HERMES” – located in an encrypted file. This fact alone makes it look like “Ryuk is a slightly modified version of [the] Hermes2.1 ransomware kit that is sold online,” they say.
11) Don’t Count on Decryptor
Unfortunately, the decryptor doesn’t always work and may leave files unrecoverable, due to the error-filled code used to create it, the McAfee and Coveware researchers say. For example, the decryption process fails if the decryptor finds a space or a quotation mark in any Windows file path. And when it does work, it doesn’t expunge the .RYUK extension appended to an original file, meaning victims have some labor-intensive file-renaming efforts ahead of them, researchers say.
Coveware says Ryuk decryptors only appear to work 60 percent of the time, compared to the industry average of 95 percent (see Ransomware Victims Who Pay Cough Up $6,733 (on Average)).
“Looking at the decryptor, it is very worrisome to see that the criminals behind Ryuk can get away with such bad programming. It shows a clear lack of empathy towards their victims and the absence of solid coding skills,” the McAfee and Coveware researchers say.
“Victims who do pay the exorbitant ransom demand are far from in the clear,” they add. “The decryptor offered by the criminals has a very high risk of malfunctioning, resulting in permanent damage to their precious files. Victims should always make an exact copy of the encrypted hard disk before trying to use the decryptor.”