The mischievous Ryuk: Combatting the ‘Death Note’-inspired ransomware

Published at: Sept. 2, 2020

There is still an element of the crypto “Wild West” in 2020, as cryptocurrency stolen through hacks and ransomware attacks is still being cashed out on major exchanges around the world. Ransomware attacks have proved to be a lucrative cash cow for cybercriminals over the past few years, with the United States Federal Bureau of Investigation estimating that over $144 million worth of Bitcoin was stolen between October 2013 and November 2019.

A press conference held by the FBI in February revealed the huge amount paid out in ransom to attackers by victims that were desperate to regain access to their infected systems and data. Interestingly enough, attackers received the majority of ransoms in Bitcoin (BTC). More recently, researchers took a sample of 63 ransomware-related transactions, accounting for around $5.7 million of stolen funds, and found that over $1 million worth of Bitcoin was cashed out on Binance following a string of transactions across various wallet addresses.

There are a number of notorious ransomware variations that are used by different hackers and cybercriminal groups. Cybersecurity firm Kaspersky highlighted the uptick in these types of attacks targeting larger organizations in July, outlining two particular malware threats: VHD and Hakuna MATA.

These particular threats seemingly pale in comparison with the amount of cryptocurrency stolen through the use of bigger malware threats such as the Ryuk ransomware. So, here’s why Ryuk has been a preferred method of attack and what can be done to prevent and discourage attackers from cashing out their ill-gotten gains on major exchange platforms.

The Trojan at the city gates: Ryuk

These newer vectors of attack mentioned in Kaspersky’s July report have not quite garnered the same reputation as the Ryuk ransomware. Toward the end of 2019, Kaspersky released another report that highlighted the plight of municipalities and cities that have fallen prey to ransomware attacks. Ryuk was identified by the firm as the favored vehicle of attacks on larger organizations, with governmental and municipal systems being prime targets in 2019.

Ryuk first appeared in the second half of 2018 and brought havoc as it spread through computer networks and systems around the world. Named after popular character Ryuk from the manga series Death Note, the malware is a clever take on the “King of Death,” who amuses himself by delivering a “death note” to the human realm that allows the note’s finder to kill anyone by simply knowing their name and appearance.

The malware is typically delivered in a two-phase approach that allows the attackers to examine the network first. This usually begins with a large number of machines receiving emails containing a document that users may unwittingly download. The attachment contains an Emotet Trojan malware bot that activates if the file is downloaded.

The second stage of the attack sees the Emotet bot communicate with its servers to install another piece of malware known as a Trickbot. This is the piece of software that allows attackers to carry out a probe of the network.

If the attackers hit a proverbial honey pot — i.e., a network of a big business, governmental or municipal office — the Ryuk ransomware itself will be deployed across different nodes of the network. This is the vector that actually encrypts system files and holds that data for ransom. Ryuk encrypts local files on individual computers and files shared across a network.

Furthermore, Kaspersky explained that Ryuk also has the capability of forcing other computers on the network to switch on if they’re in a sleep mode, which propagates the malware across a larger number of nodes. Files located on computers on a network that are asleep are typically unavailable for access, but if the Ryuk malware is able to wake those PCs up, it will encrypt files on those machines as well.

There are two main reasons why hackers look to attack governmental or municipal computer networks: First, many of these systems are protected by insurance, which makes it far more likely that a monetary settlement can be reached. Second, these bigger networks are intrinsically tied together with other large networks, which can lead to a far-reaching, crippling effect. Systems and data powering completely different departments can be affected, which calls for a swift solution, more often than not resulting in a payment to the attackers.

Combatting cashing out on major exchanges

The end goal of these ransomware attacks is pretty simple: to demand a large payment, typically made using cryptocurrencies. Bitcoin has been the favored payment option for attackers. The use of the preeminent cryptocurrency as the preferred payment method has an unintended consequence for attackers though, as the transparency of the Bitcoin blockchain means that these transactions can be tracked at both a micro and a macro level.

Related: Ransomware Attacks Demanding Crypto Are Unfortunately Here to Stay

That is exactly what researchers have been doing, and by looking at the endpoint of these transactions, analysts can see attackers making use of some of the biggest cryptocurrency exchanges. At the end of August, it was revealed that over $1 million worth of ransomed Bitcoin has been cashed out through Binance.

Binance’s security team revealed to Cointelegraph that these transactions were over 18 months old and that the exchange has been actively monitoring the relevant accounts. The team also highlighted the use of its exchange by attackers as being a byproduct of the sheer volume of cryptocurrency traded on the platform, which gives illicit actors more of a chance to blend into the crowd. The spokesperson added:

“This is further complicated by the fact that Binance has a wide variety of customers operating on its platform, with some customers receiving such funds through simple peer-to-peer trades, and others receiving through corporate services which leverage our platform for liquidity.”

Cointelegraph reached out to Israel-based cybersecurity firm Cymulate to learn what exchanges can do to better prevent cybercriminals from using their platforms to liquidate stolen cryptocurrency. Avihai Ben-Yossef, the company’s co-founder and chief technology officer, contends that companies that provide antivirus protection and endpoint detection and response have a vital role to play in tracking ransomed crypto, given that they know the amounts paid out and the respective wallet addresses receiving the ransomed funds. He added that from there, exchanges can track and trace these payments:

“Analysts can collect wallet numbers and check how much money is in each wallet and then create a sum of all of the found wallets. It’s important to note that there will always be more and that you need to be able to track each one from the Ryuk payloads created.”

There is no doubt that this can be a time-consuming process. Nevertheless, the use of wallet addresses by attackers to receive ransomed funds makes it possible for security teams to keep an eye on the movement of those funds.

Overall, 2020 has been a profitable year for cybercriminals who have made use of ransomware attacks, which have been constantly evolving. Ben-Yossef cautioned organizations and companies to ensure they have the best cybersecurity to combat the constantly changing cybercrime environment:

“Ransomware attacks in general are becoming more and more sophisticated. They include lateral movement, data exfiltration and many more methods that have serious consequences to companies that won’t pay the ransom. There’s a new successor to RYUK, Conti, which is written a bit differently and most likely developed by other hackers. It’s become critical for organizations to adapt security testing tools such as breach and attack simulation to ensure their security controls are working to their optimal effectiveness against emerging threats.”
Tags
Related Posts
Bitcoin Ransomware and Remote Working: What the Future Holds
The new work-from-home culture is gaining more traction than ever before as businesses, government departments and schools try to remain afloat while flattening the pandemic curve. This migration to remote working is a double-edged sword that creates a fertile land for cybercriminals to thrive on. There is no way that cyberattacks can be eliminated completely. The best that companies can do is minimize the frequency of the threats. What is ransomware? Cybercriminals use malicious software code to block people or organizations from accessing their computer systems until a ransom has been paid. Cryptocurrencies such as Bitcoin (BTC) have made it …
Technology / Aug. 21, 2020
Did Jack Daniels Thwart a Ransomware Attack or Not?
Ransomware gang REvil, known also as Sodinokibi, claims to have mounted a successful attack against the U.S. wine and spirits giant, Brown-Forman Corp — but the company claims otherwise. The company is the official manufacturer of Jack Daniels whiskey. According to cybersecurity services provider, AppGate, the famous alcoholic beverages manufacturer did fall victim to an attack but refused to pay the ransom demanded by REvil. However, Brown-Forman Corp told Infosecurity-Magazine in a statement they had successfully prevented cybercriminals from encrypting its files. This does not necessarily mean the gang’s claim to have compromised the internal network and stolen sensitive data …
Bitcoin / Aug. 20, 2020
The Most Malicious Ransomwares Demanding Crypto to Watch Out For
As interconnectivity turns the world into a global village, cyberattacks are expectedly on the rise. According to reports, the tail end of last year saw a spike in the average amount of payments made to ransomware attackers, as several organizations were forced to pay millions of dollars to have their files released by malware attackers. Apart from the fact that the current pandemic has left many individuals and corporations vulnerable to attacks, the notion that cryptocurrencies are an anonymous and untraceable payment method has led many ransomware attackers to demand payment in Bitcoin (BTC) and other altcoins. Just recently, a …
Bitcoin / July 4, 2020
McAfee Says NetWalker Ransomware Generated $25M Over 4 Months
Cybersecurity firm McAfee released a study showing the activities of NetWalker, a ransomware first known as Mailto that was initially discovered in August 2019. According to the report, the operators of NetWalker have collected over $25 million from ransom payments since March 2020. From March 1 to July 27, the group collected around 2,795 Bitcoin (BTC), purportedly making it one of the most profitable types of ransomware for cybercriminals. According to the report, the Bitcoin transactions received by the gang — where the amount is split among several different addresses — reflects that NetWalker is a "ransomware-as-a-service" malware. Such a …
Bitcoin / Aug. 4, 2020
Hackers Stole and Encrypted Data of 5 U.S. Law Firms, Demand 2 Crypto Ransoms
Hackers compromised five United States law firms and demanded two 100 Bitcoin (BTC) (over $933,000 at press time) ransoms from each firm: one to restore access to the data, one to delete their copy instead of selling it. According to data shared with Cointelegraph by cybersecurity firm Emsisoft, the hacker group — called Maze — already started publishing part of the data stolen from the aforementioned firms. Two of the five law firms were hacked within the 24 hours leading to Feb. 1. The hackers published the data on two websites that were shared with the author of this article, …
Bitcoin / Feb. 3, 2020