Vulnerabilities / Threats

1/10/2019
02:50 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Ryuk Ransomware Attribution May Be Premature

The eagerness to tie recent Ryuk ransomware attacks to a specific group could be rushed, researchers say.

Security researchers are keen to link a recent outbreak of Ryuk ransomware to a specific attacker. Some have suggested North Korea, a decision some experts say could be rushed.

Last week a cyberattack caused print and delivery problems for newspapers owned by Tribune Publishing, including the Chicago Tribune and Baltimore Sun, as well as the Los Angeles Times. The issue affected the timeliness and, in some cases, the completeness of printed papers. At the time, people with knowledge of the incident said it appeared to be Ryuk ransomware.

Some parties, including Check Point Research, connected this particular Ryuk campaign and some of its inner workings to the Hermes ransomware – a form of malware commonly linked to the North Korean APT Lazarus Group. Unlike most ransomware, they say, Ryuk is only used for tailored attacks and its encryption scheme is purposefully built for small-scale operations.

But was North Korea behind the Tribune campaign? Not necessarily, McAfee Labs experts say.

To determine who may have launched the Ryuk campaign, some experts have looked at past research comparing Ryuk's code with older Hermes ransomware. In October 2017, McAfee Labs investigated an attack on a Taiwanese bank in which actors used a ransomware outbreak to distract IT staff at the same time they were stealing money. The malware used was Hermes 2.1.

Back at the time of the bank attack, McAfee didn't do much digging into the ransomware itself, says John Fokker, head of cyber investigations for McAfee Advanced Threat Research. When it was investigating North Korean attribution for the recent Ryuk campaign, they found an Aug. 2017 posting in an underground forum where a Russian-speaking actor was selling Hermes 2.1.

"It looks like a regular cybercrime kit you can buy and perhaps tweak to your liking," he explains. "If we backtrack to the investigation, there's a probability Lazarus bought this kit to use as a distraction."

While most nation-state groups tend to build and use attacks they developed, as Lazarus typically does, it wouldn't be out of the question for a group to purchase malware that would serve as a diversion. "It makes sense if you want to go for distractions, or want to create a false flag, you might go out and buy something," Fokker adds, saying it's a likely hypothesis.

Given Hermes 2.1 went on sale long before the bank heist in Oct. 2017, several people could have purchased and altered it, he continues. "We've shown that it's for sale, anyone with skill and money could buy this," says Fokker. "It opens to a wide variety of potential actors."

McAfee Labs says Ryuk and Hermes 2.1 are generally equal. "There is a very high overlap," he continues. "They're almost identical." If changing the name, and implementing a ransom note, are both part of the "fine tuning" process involved with editing Hermes 2.1 into a slightly different threat, then Ryuk is likely an edited version of it, researchers explain.

So Whodunnit?

McAfee Labs suggests the most likely hypothesis in the Ryuk case is that of a cybercriminal operation developed from a toolkit offered by a Russian-speaking actor. Evidence shows sample similarities over the past several months, which indicate a toolkit is being used. Researchers don't currently know who is responsible, but Fokker points to some defining traits.

The author and seller of Hermes 2.1 advertises a kit, not a service, meaning whoever bought it would need to set up a distribution method and infrastructure to make it work, McAfee Labs researchers explain in a blog post. Fokker also predicts the attacker has a skill in targeting.

"They're doing reconnaissance on the victim to find out if the victim is interesting and if they have money to pay up," he says. "It's less opportunistic, and more targeted. That shows to me a certain level of skill – not necessarily technical skill, but a skill that you can find your victim and select them." If it's not North Korea, it could also be a well-organized criminal group.

Fokker also points to general problems with attribution. It's understandable experts want to attribute an attack, he says, but oftentimes the process for doing so is flawed – especially when it comes to linking incidents with state-sponsored actors.

"There is a strong movement toward the 'who'," he says. "Everyone wants to figure out who is responsible … but you often don't have all the pieces to the puzzle."

McAfee Labs' approach is to analyze competing hypotheses, researchers say. An investigation involves several views, comparing different pieces of evidence to support each hypothesis, and also finding evidence that falsifies hypotheses. This method ensures the strongest hypothesis is not the one with the most verified evidence, but the one with the least falsifying evidence.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6487
PUBLISHED: 2019-01-18
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.