Are You Having A Technology Emergency?

True North Networks Blog

North Korean Ransomware Attack Disrupts Major U.S. News Media

It was all over the news. A server outage at a major newspaper publishing company on Saturday that prevented the distribution of many leading U.S. newspapers, including the north korea ransomwareWall Street Journal, New York Times, Los Angeles Times, Chicago Tribune and Baltimore Sun. An early, unnamed source revealed they found files with a .RYK extension, and it looks like this might be a targeted ransomware attack using the specialized Ryuk ransomware family. This strain is the latest incarnation of the earlier HERMES ransomware which is attributed to the capable and active Lazarus Group that operates out of a Chinese city just north from North Korea and reportedly controlled by the N.K. Unit 180 spy agency. Unlike spray-and-pray ransomware, Ryuk is mainly used for tailored attacks very similar to SamSam, and its encryption scheme is specifically built for focused infections, such that only crucial assets and resources are encrypted in each targeted network, carried out manually by the attackers. Reality Check: "It Is Very Hard to Keep a State-Sponsored Bad Actor Out of Your Network" Security experts believe that the Ryuk crew targets and penetrates selected companies one at a time—charging exceptionally large ransoms—either via spear phishing, RDP connections, or other yet unknown penetration techniques. Ryuk is not decryptable at the time of this writing, and it is very hard to keep a determined state-sponsored "Advanced Persistent Threat" bad actor out of your network. You really need to practice defense-in-depth and even then... Now, having said that, I admit it is in the early days and this attribution is more a gut-feel estimate rather than something proven by forensics. There are a lot of "false flag" operations going on, and someone else may have gotten hold of that code. Feels like N.K. though. The infected publisher said in a statement Saturday that: “the personal data of our subscribers, online users, and advertising clients has not been compromised. We apologize for any inconvenience and thank our readers and advertising partners for their patience as we investigate the situation.” Any organization today needs to have weapons-grade backup procedures in place to restore production systems that have been compromised. I'm sure that they are doing exactly that, there are some IT heroes pulling all-nighters out there I'm sure. Also, it could mean they decided not to pay the ransom, good for them! Ryuk-HERMES Similarities Are Clear as Daylight The connections are pretty obvious, shown by Check Point researchers which recently analyzed the two ransomware strains. They pointed at clear similarities between past Hermes strains and current Ryuk samples, which share large chunks of code:

  • The function that encrypts a single file is almost identical
  • Ryuk and Hermes use the same file marker for encrypted files
  • The check for the file marker is also identical
  • Both whitelist similar folders (e.g. “Ahnlab”, “Microsoft”, “$Recycle.Bin” etc.)
  • Both write a batch script named “window.bat” in the same path
  • Both used a similar script to delete shadow volumes and backup files

Ryuk versions for 32-bit and 64-bit systems were discovered, suggesting the ransomware can infect all types of systems, new and old alike. But there are also some differences. The main one is that Ryuk comes with a huge list of apps and services it shuts down before infecting a victim's systems. "The ransomware will kill more than 40 processes and stop more than 180 services by executing taskkill and net stop on a list of predefined service and process names," Check Point researchers explained in a report. This is one nasty piece of malware.




True North Lends a Hand
What's Your Weakest Security Link?
Comment for this post has been locked by admin.


By accepting you will be accessing a service provided by a third-party external to