Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/10/2019
02:50 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Ryuk Ransomware Attribution May Be Premature

The eagerness to tie recent Ryuk ransomware attacks to a specific group could be rushed, researchers say.

Security researchers are keen to link a recent outbreak of Ryuk ransomware to a specific attacker. Some have suggested North Korea, a decision some experts say could be rushed.

Last week a cyberattack caused print and delivery problems for newspapers owned by Tribune Publishing, including the Chicago Tribune and Baltimore Sun, as well as the Los Angeles Times. The issue affected the timeliness and, in some cases, the completeness of printed papers. At the time, people with knowledge of the incident said it appeared to be Ryuk ransomware.

Some parties, including Check Point Research, connected this particular Ryuk campaign and some of its inner workings to the Hermes ransomware – a form of malware commonly linked to the North Korean APT Lazarus Group. Unlike most ransomware, they say, Ryuk is only used for tailored attacks and its encryption scheme is purposefully built for small-scale operations.

But was North Korea behind the Tribune campaign? Not necessarily, McAfee Labs experts say.

To determine who may have launched the Ryuk campaign, some experts have looked at past research comparing Ryuk's code with older Hermes ransomware. In October 2017, McAfee Labs investigated an attack on a Taiwanese bank in which actors used a ransomware outbreak to distract IT staff at the same time they were stealing money. The malware used was Hermes 2.1.

Back at the time of the bank attack, McAfee didn't do much digging into the ransomware itself, says John Fokker, head of cyber investigations for McAfee Advanced Threat Research. When it was investigating North Korean attribution for the recent Ryuk campaign, they found an Aug. 2017 posting in an underground forum where a Russian-speaking actor was selling Hermes 2.1.

"It looks like a regular cybercrime kit you can buy and perhaps tweak to your liking," he explains. "If we backtrack to the investigation, there's a probability Lazarus bought this kit to use as a distraction."

While most nation-state groups tend to build and use attacks they developed, as Lazarus typically does, it wouldn't be out of the question for a group to purchase malware that would serve as a diversion. "It makes sense if you want to go for distractions, or want to create a false flag, you might go out and buy something," Fokker adds, saying it's a likely hypothesis.

Given Hermes 2.1 went on sale long before the bank heist in Oct. 2017, several people could have purchased and altered it, he continues. "We've shown that it's for sale, anyone with skill and money could buy this," says Fokker. "It opens to a wide variety of potential actors."

McAfee Labs says Ryuk and Hermes 2.1 are generally equal. "There is a very high overlap," he continues. "They're almost identical." If changing the name, and implementing a ransom note, are both part of the "fine tuning" process involved with editing Hermes 2.1 into a slightly different threat, then Ryuk is likely an edited version of it, researchers explain.

So Whodunnit?

McAfee Labs suggests the most likely hypothesis in the Ryuk case is that of a cybercriminal operation developed from a toolkit offered by a Russian-speaking actor. Evidence shows sample similarities over the past several months, which indicate a toolkit is being used. Researchers don't currently know who is responsible, but Fokker points to some defining traits.

The author and seller of Hermes 2.1 advertises a kit, not a service, meaning whoever bought it would need to set up a distribution method and infrastructure to make it work, McAfee Labs researchers explain in a blog post. Fokker also predicts the attacker has a skill in targeting.

"They're doing reconnaissance on the victim to find out if the victim is interesting and if they have money to pay up," he says. "It's less opportunistic, and more targeted. That shows to me a certain level of skill – not necessarily technical skill, but a skill that you can find your victim and select them." If it's not North Korea, it could also be a well-organized criminal group.

Fokker also points to general problems with attribution. It's understandable experts want to attribute an attack, he says, but oftentimes the process for doing so is flawed – especially when it comes to linking incidents with state-sponsored actors.

"There is a strong movement toward the 'who'," he says. "Everyone wants to figure out who is responsible … but you often don't have all the pieces to the puzzle."

McAfee Labs' approach is to analyze competing hypotheses, researchers say. An investigation involves several views, comparing different pieces of evidence to support each hypothesis, and also finding evidence that falsifies hypotheses. This method ensures the strongest hypothesis is not the one with the most verified evidence, but the one with the least falsifying evidence.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.