A new ransomware, dubbed “Ryuk,” has surfaced in the last few weeks that is said to be targeting large organizations in the United States.
The attackers behind Ryuk have reportedly made over $640,000 in just two weeks, and are allegedly connected to the well-known hacking group out of North Korea—Lazarus.
According to security company Check Point, the attackers are carefully targeting large organizations that have the ability to pay large ransoms for valuable data, and are exploiting vulnerabilities in order to get a quick pay-out of large sums of Bitcoin.
The attackers conduct very specific campaigns against large companies, including mapping the organizations’ network, compromising the networks and stealing credentials in order to install Ryuk to encrypt the systems. Once the organization’s system is compromised, the victim receives one of two standard ransomware notes. One ransom note is polite and advises the company that a vulnerability in their system has resulted in the encryption of all files on the system and requests a payment in Bitcoin to get the keys to the data and reminds the victim that the attackers “are not scammers.” The message goes on to tell the victim that all files will be destroyed unless the ransom is paid (but they aren’t scammers). The victim is given an email to contact and a Bitcoin wallet address to pay the ransom.
The second ransom note is more to the point and outright threatening—files are encrypted and will be destroyed unless you pay, and here is the email to contact to pay.
What is very concerning about this new ransomware is that the ransom is very large—between 15 and 35 Bitcoin, and adding one half a Bitcoin each day the victim doesn’t pay. That is roughly $224,000. This is unusual and alarming.
Unfortunately, because the attackers have cashed in a large amount in such a short time indicates that it is a well-planned attack, that the attackers have researched their victims to determine their ability to pay the ransom, that their strategy has paid off and therefore, more will likely come. Another reason to check in with your IT folks and to invest in and test back up plans, continuity plans and disaster recovery operations.