Ruthless Ryuk Ransomware Gang Is Especially Troublesome

Since 2018, a gang of highly organized hackers who generally are located in Eastern Europe are wreaking havoc upon health care systems and other industries on a truly industrial scale. The hackers call their ransomware Ryuk, which is pronounced ree-yook.

The Ryuk ransomware is a newer variant of the Hermes ransomware and has ranked among the most active hacking tools since 2018. Ryuk ransomware is responsible for hacker attacks on hospitals, businesses and government institutions and ranks among the most active.

The hackers typically used open-source tools and manual techniques of hacking to navigate private online networks. They try to accrue administrative access to a variety of sites and systems before encrypting important files. Once those files are encrypted, they cannot be read until Ryuk removes the encryption. And that requires a hefty sum of money totaling millions of dollars.

Russians Are Tied to Ryuk Origins

When the Ryuk ransomware first appeared in late 2017, most people thought it was coming from North Korea. That is because the Lazarus Group that was backed by the North Korean government used the Hermes ransomware to attack the Far Eastern National Bank in Taiwan.

Because it is an improved version of Hermes, Ryuk initially was thought to be the work of North Korean hackers.

That North Korea was behind the Ryuk ransomware persisted for about a year before industry analysts determined it is not North Korean. Instead, most experts now believe Ryuk is the work of a Russian cybercriminal organization. Some suggest Russia is enabling the group of hackers to launder the significant sums of money that organizations have paid in ransom.

Some cyber security outfits refer to the Russian-speaking hackers as Wizard Spider, which also uses the TrickBot program that launches Trojan program attacks. Others suggest the Ryuk gang could be the same people who created the Hermes ransomware, which they sold to the North Korean hackers and others. Instead of selling the Ryuk program, the group might have developed the improved version of Hermes for their own purposes.

High Ransoms Are Demanded and Paid

The Ryuk hackers often demand higher ransom amounts from its victims than most other criminal hackers. Ryuk often demands its victims pay up to 50 bitcoins, which is equal to about $500,000. But it has demanded single ransoms totaling millions of dollars.

The Ryuk attackers usually target victims who have high levels of assets. The hacking industry refers to that as “big game hunting.” Some individuals who have been victimized by the Ryuk gang have told them they do not have the money to pay the ransom. The attackers often respond to such claims with stolen financial information and tell the target that they know the targeted victim has the money to pay.

The FBI’s Global Operations and Targeting Unit says various organizations paid more than $144 million worth of bitcoin to various ransomware outfits from 2013 through 2019. The most active and largest-grossing ransomware group is the Ryuk gang, which took in $61.26 million. That amount is triple that of the next-highest ransomware group.

Considering Ryuk did not become active until the end of 2017, the sum represents a staggering amount. It shows how very aggressive the Ryuk gang has targeted individuals and organizations during its relatively short time in existence. Those who encounter the group say it uses the Russian language and only makes very short and terse demands when communicating with victims.

TrickBot Often Leads to an Ryuk Attack

When a Ryuk ransomware attack occurs, it usually starts with TrickBot distributing the hacking program. When an infection occurs via TrickBot, the Ryuk attack usually is delayed by several weeks. Some Ryuk attacks have occurred without TrickBot, too. So TrickBot is not the only way for the Ryuk gang to engage in its criminal activity.

The Ryuk gang likely takes its time to research potential victims following a TrickBot infection that it initiated. Once that research is completed, Ryuk uses manual hacking to surveil networks. The hackers are looking for ways to access a wide variety of network information. That helps to make it possible to engage in widespread ransomware hacking instead of targeting a few endpoints.

The Ryuk gang uses programs like Cobalt Strike and PowerShell Empire to engage in malicious hacking activities without triggering security alerts. PowerShell Empire is a scripting tool that Windows-based computer systems readily enable. Various Windows default systems make it much easier for the PowerShell program to infect a computer and network.

The hackers also use the LaZagne open-source tool that enables them to pilfer stored credentials. Another tool called BloodHound that enables testers to penetrate computing systems and discover vulnerable data. The goal is to learn which domain controllers are vulnerable and use them to gain access to entire networks and control them.