North Korea-linked Ryuk ransomware campaign steals Bitcoin worth $640,000

A new Bitcoin theft has a North Korea link, according to researchers…

Targeted attacks using the North Korea-linked Ryuk ransomware have stolen more than $600,000 in Bitcoin (BTC) from major organisations, security researchers at Check Point say.

Two ransom notes discovered by victims of the hacking campaign demand payment of 50 BTC (worth around $320,000) or 15-35 BTC (up to $225,000).

Check Point determined that Ryuk is linked to Hermes, a notorious piece of malware which encrypts files and demands ransom payments to unlock them. Hermes attacks have previously been attributed to hostile North Korean state actors, including a 2017 $60m theft from Taiwan’s Far Eastern International Bank.

The similarity “might well be a sign of an underlying identical source code”, said Check Point.

Ryuk infects machines and then destroys its encryption key, deleting shadow copies and backups on local drives to prevent users from recovering system-vital files.

Storage and data centres in at least three American organisations were identified as victims, with the “carefully orchestrated campaign targeting enterprises that are capable of paying a lot of money in order to get back on track,” said researchers.

Cashing out

Threat researchers found that examining each of the cryptocurrency transactions “exposed a pattern” of payments which revealed a connection between the wallets used in the attack.

Almost all samples of the malware provided victims with a unique BTC wallet to pay into, and when victims paid the initial ransom it was then divided between multiple other accounts.

“This may indicate that a coordinated operation, in which several companies have been carefully targeted, is currently taking place using the Ryuk ransomware.

“After a ransom payment was made to a preassigned wallet, some 25% of the funds (a round amount such as 10 or 12.5 BTC) are transferred to a new wallet. The remaining amount is also transferred to a new wallet; however, the remaining funds are split and relocated again – some 25% of it is transferred to a new wallet in which it would remain, with the other funds split again, and so on.”

Several key wallets were used more than others and are the suspected end point for these divided payments.

While common advice from police and security services is to never to make payments to hackers, “some organisations paid an exceptionally large ransom in order to retrieve their files,” Check Point said.

This fits with a startling piece of research published by Code42 last month which claimed that 73% of Chief Security Officers in large multinationals were stockpiling cryptocurrencies to pay off encryption threats from black hat hackers.

Main image: BigStock