Ryuk Ransomware Attribution May Be Premature

  /     /     /  
Publicated : 23/11/2024   Category : security


Ryuk Ransomware Attribution May Be Premature


The eagerness to tie recent Ryuk ransomware attacks to a specific group could be rushed, researchers say.



Security researchers are keen to link a recent outbreak of Ryuk ransomware to a specific attacker. Some have suggested North Korea, a decision some experts say could be rushed.
Last week a cyberattack
caused
print and delivery problems for newspapers owned by Tribune Publishing, including the Chicago Tribune and Baltimore Sun, as well as the Los Angeles Times. The issue affected the timeliness and, in some cases, the completeness of printed papers. At the time, people with knowledge of the incident said it appeared to be Ryuk ransomware.
Some parties, including Check Point Research,
connected
this particular Ryuk campaign and some of its inner workings to the Hermes ransomware – a form of malware commonly linked to the North Korean APT Lazarus Group. Unlike most ransomware, they say, Ryuk is only used for tailored attacks and its encryption scheme is purposefully built for small-scale operations.
But was North Korea behind the Tribune campaign? Not necessarily, McAfee Labs experts say.
To determine who may have launched the Ryuk campaign, some experts have looked at past research comparing Ryuks code with older Hermes ransomware. In October 2017, McAfee Labs investigated an attack on a Taiwanese bank in which actors used a ransomware outbreak to distract IT staff at the same time they were stealing money. The malware used was Hermes 2.1.
Back at the time of the bank attack, McAfee didnt do much digging into the ransomware itself, says John Fokker, head of cyber investigations for McAfee Advanced Threat Research. When it was investigating North Korean attribution for the recent Ryuk campaign, they found an Aug. 2017 posting in an underground forum where a Russian-speaking actor was selling Hermes 2.1.
It looks like a regular cybercrime kit you can buy and perhaps tweak to your liking, he explains. If we backtrack to the investigation, theres a probability Lazarus bought this kit to use as a distraction.
While most nation-state groups tend to build and use attacks they developed, as Lazarus typically does, it wouldnt be out of the question for a group to purchase malware that would serve as a diversion. It makes sense if you want to go for distractions, or want to create a false flag, you might go out and buy something, Fokker adds, saying its a likely hypothesis.
Given Hermes 2.1 went on sale long before the bank heist in Oct. 2017, several people could have purchased and altered it, he continues. Weve shown that its for sale, anyone with skill and money could buy this, says Fokker. It opens to a wide variety of potential actors.
McAfee Labs says Ryuk and Hermes 2.1 are generally equal. There is a very high overlap, he continues. Theyre almost identical. If changing the name, and implementing a ransom note, are both part of the fine tuning process involved with editing Hermes 2.1 into a slightly different threat, then Ryuk is likely an edited version of it, researchers explain.
So Whodunnit?
McAfee Labs suggests the most likely hypothesis in the Ryuk case is that of a cybercriminal operation developed from a toolkit offered by a Russian-speaking actor. Evidence shows sample similarities over the past several months, which indicate a toolkit is being used. Researchers dont currently know who is responsible, but Fokker points to some defining traits.
The author and seller of Hermes 2.1 advertises a kit, not a service, meaning whoever bought it would need to set up a distribution method and infrastructure to make it work, McAfee Labs
researchers explain
in a blog post. Fokker also predicts the attacker has a skill in targeting.
Theyre doing reconnaissance on the victim to find out if the victim is interesting and if they have money to pay up, he says. Its less opportunistic, and more targeted. That shows to me a certain level of skill – not necessarily technical skill, but a skill that you can find your victim and select them. If its not North Korea, it could also be a well-organized criminal group.
Fokker also points to general problems with attribution. Its understandable experts want to attribute an attack, he says, but oftentimes the process for doing so is flawed – especially when it comes to linking incidents with state-sponsored actors.
There is a strong movement toward the who, he says. Everyone wants to figure out who is responsible … but you often dont have all the pieces to the puzzle.
McAfee Labs approach is to analyze competing hypotheses, researchers say. An investigation involves several views, comparing different pieces of evidence to support each hypothesis, and also finding evidence that falsifies hypotheses. This method ensures the strongest hypothesis is not the one with the most verified evidence, but the one with the least falsifying evidence.
Related Content:
6 Ways to Anger Attackers on Your Network
Web Vulnerabilities Up, IoT Flaws Down
New Crypto Dusting Attack Gives Cash, Takes Reputation
Remote Code Execution Bugs Are Primary Focus of January Patch Tuesday

Last News

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Ryuk Ransomware Attribution May Be Premature