An amount of $640,000 was wrested by the attacker, in all. 15 to 50 BTC were demanded from the targets in exchange for their files and other data.
The ransomware encrypts data that’s in the storage, in the personal computers and in the data centres. The attack had several victims to its name, including some of the major organizations in the USA and other countries.
HERMES ransomware which is issued by the Lazarus group which is a North Korean APT, had something to do with the Ryuk ransomware attack. This gave rise to another belief mainly that this very ransomware could be one of the targeted campaigns from the Lazarus Group or the malware author derivative HERMES source code.
The same encryption logic and process as that of the one used in the HERMES ransomware was found in Ryuk.
This attack is manually carried forward. The subjects of the attacks are cautiously chosen, keeping in mind the structure, which is designed especially for the networks of small-scale enterprises.
Ryuk was disseminated through massive spam campaigns and exploit kits. Credential collection, hacking and extensive network mapping are all the requisites before the commencement of any operation.
Over forty (40) windows processes and 180 services were killed by the Ryuk Ransomware. It was done by the execution of the taskkill and net stop on a list of process names and services. Most of the services belonged to database Anti-Virus, document editing software and database backup.
As soon as all the cryptographic basics are done with, every network share and drive on the target’s system gets encrypted. The files or directories with text from any hardcoded whitelist, containing “RecycleBin”, “Chrome”, “Ahnlab” and “Mozilla” are the only ones that are safe from encryption.
The Ryuk ransomware attack is a highly lucrative one and enterprise networks are the major aim of the cybercriminals.