Alert: 'Ryuk' Ransomware Attacks the Latest ThreatVariant of Hermes Poses Major Risks, HHS Warns
Organizations should be on guard for attacks involving an apparent variant of Hermes ransomware - dubbed Ryuk - that attempts to encrypt network resources. It has already victimized several global organizations in the U.S. and elsewhere, according to a federal alert, which offers mitigation advice.
The Aug. 30 advisory from the Department of Health and Human Services notes that the malware attacks involving Ryuk appear to be targeted.
"At the end of encryption, Ryuk destroys its encryption key and launched a BAT file that will remove shadow copies and various backup files from the disk," the alert notes.
The alert from HHS links to and contains information from an August research advisory from security firm Check Point Software Technologies, which notes that in recent weeks, "at least three organizations in the U.S. and worldwide were severely hit by the malware."
"So far the campaign has targeted several enterprises, while encrypting hundreds of PCs, storage and data centers in each infected company," Check Point notes.
Medical Equipment Firm Hit
Impacted entities include a company in the medical sector, Tim Otis, a Check Point incident response leader, tells Information Security Media Group.
"Our first discovery of Ryuk was during an incident response engagement involving a medical research equipment design and manufacturing company headquartered in the U.S., with locations in Europe," he says. "We have had additional Ryuk cases involving other verticals, such as law firms and convenience store chains both in the United States and abroad."
In its advisory, Check Point notes: "While the ransomware's technical capabilities are relatively low ... some organizations paid an exceptionally large ransom in order to retrieve their files. Although the ransom amount itself varies among the victims - ranging between 15 bitcoins to 50 bitcoins - it has already netted the attackers over $640,000."
Ryuk's "inner-workings" appears similar to Hermes ransomware, "a malware commonly attributed to the notorious North Korean APT Lazarus Group, which was also used in massive targeted attacks," Check Point writes. "This leads us to believe that the current wave of targeted attacks using Ryuk may either be the work of the Hermes operators, the allegedly North Korean group, or the work of an actor who has obtained the Hermes source code."
On Sept. 6, U.S. prosecutors charged Park Jin Hyok, a 34-year-old North Korean, for his alleged involvement in some of the most destructive and profitable cyberattacks, including the WannaCry ransomware outbreak, the Sony Pictures Entertainment breach as well as the theft of $81 million from Bangladesh Bank. Prosecutors allege that Park worked with the Lazarus group (see Feds Charge North Korean in Devastating Cyberattacks).
HHS warns that Ryuk is systematically distributed via malicious spam campaigns, similar to SamSam, another ransomware that was the subject of an earlier advisory from HHS this year (see HHS Warns of SamSam Ransomware Attacks).
Similar to SamSam, Ryuk attacks appear tailored to each victim organization. "The encryption scheme is intentionally built for small-scale operations," HHS notes. "Only crucial assets and resources are infected in each targeted network. Infection and distribution is carried out manually by the attackers."
Attackers are required to complete extensive network mapping, lateral movement and credential collection prior to each operation, HHS adds.
HHS did not immediately respond to an ISMG request for additional comment about its advisory.
The Hermes ransomware first gained publicity in October 2017 when it was used as part of the targeted attack against the Far Eastern International Bank in Taiwan, Check Point notes in its advisory. "In that attack, commonly attributed to the Lazarus Group, a hefty $60 million was stolen in a sophisticated SWIFT attack, though it was later retrieved. In this case, it seems the Hermes ransomware was delivered to the bank network as a diversion," Check Point writes.
"In the case of Ryuk, however, there is no doubt that the latest ransomware attacks seen over the past two weeks are by no means just a side-show but rather the main act," Check Point says. "Indeed, with ransom payments as high as those already paid, Ryuk is definitely getting hitting the right note amongst its audience, or rather its victims."
Commenting on the HHS alert, Denise Anderson, president of the Health Information Sharing and Analysis Center, or H-ISAC, formerly known as NH-ISAC, notes: "I don't know that I would call the threat 'imminent'."
But as with all cyber threats, she says, "organizations need to practice sound enterprise risk management - having general situational awareness; understanding the threat, threat vectors and threat actor motivations; knowing the risk surface and risk appetite; monitoring for the threat; and applying appropriate response and mitigation strategies," she tells ISMG.
New strains of ransomware continue to spring up.
The ID Ransomware site, which allows ransomware victims to upload an encrypted file to help ascertain the strain of ransomware that encrypted their system, now counts 631 strains of ransomware - including Ryuk, up from 603 just two months ago (see Obama-Themed Ransomware Also Mines for Monero).
In its alert, HHS notes that researchers are continuing to analyze Ryuk. The agency points out that the recommended protection and mitigation practices for the related Hermes ransomware include application blacklisting to prevent tools such as vssadmin.exe, cmd.exe and powershell.exe; firewalling off SMB (445) for internal computers; and monitoring Window Security Event logs to capture Scheduled Task creation events - Event ID 4698.
"We believe that the hackers behind Ryuk work on penetrating victims' infrastructures, using exploitation of vulnerabilities in systems deployed at the victims' network," Lotem Finkelsteen, Check Point threat intelligence analysis team leader, tells ISMG. "This means, that first of all they have to manage a practical virtual patching like IPS."
To minimize the potential damage, Finkelsteen says organizations should use an advanced end point security solution.