While ransomware attacks generally infect all possible victims, a recently discovered ransomware group has brought in almost $4m since August by installing its malicious encryption software on high value targets that have previously been infected.
The ransomware, known as Ryuk, infects large enterprises days, weeks or even a year after they were previously infected by separate malware.
In most cases, firms are first infected with a powerful trojan called Trickbot. However, smaller organisations infected by Trickbot rarely suffer as much as their larger counterparts.
The security firm CrowdStrike calls the approach used by Ryuk “big-game hunting” and so far its tactics have allowed cybercriminals to generate $3.7m worth of Bitcoin from 52 transactions since August.
What sets Ryuk apart from other strains of ransomware is its dwell time. During the period between the initial infection and the installation of the ransomware, cybercriminals have plenty of time to perform reconnaissance inside an infected network which lets them maximise the damage done by targeting critical network systems after first obtaining their passwords.
This tactic, while uncommon, is also used by the SamSam ransomware that infected city networks in Atlanta, Baltimore’s 911 system and Boeing among others. Federal prosecutors revealed that SamSam’s operators brought in over $6m in ransom payments while causing over $30m in damages.
Security firms FireEye and CrowdStrike have both downplayed reports that Ryuk was created by North Korean actors. CrowdStrike discovered evidence that the new strain of ransomware might actually originate from Russia.
Researchers at FireEye shed further light on Ryuk, saying:
“Throughout 2018, FireEye observed an increasing number of cases where ransomware was deployed after the attackers gained access to the victim organization through other methods, allowing them to traverse the network to identify critical systems and inflict maximum damage. SamSam operations, which date back to late 2015, were arguably the first to popularize this methodology, and [Ryuk] is an example of its growing popularity with threat actors. FireEye Intelligence expects that these operations will continue to gain traction throughout 2019 due the success these intrusion operators have had in extorting large sums from victim organizations.”
Via Ars Technica