A cybercriminal group dubbed Grim Spider has been using the Ryuk ransomware to exclusively target enterprises and has managed to amass over 705 Bitcoins (around $3.7 million) from the victims in less than six months.
CrowdStrike and FireEye researchers have been tracking the group for quite a while, but admit that it’s currently impossible to determine whether it is a part of a larger criminal enterprise (the Russia-based operator of the TrickBot banking malware) or a standalone threat group.
What’s special about the Ryuk ransomware?
Ryuk is based on the Hermes ransomware but has been tailored to target enterprise environments.
The similarities are as follows: both piece of ransomware encrypt files using RSA-2048 and AES-256, store keys in the executable using the proprietary Microsoft SIMPLEBLOB format, encrypt mounted devices and remote hosts, and uses a file marker of HERMES to mark or check if a file has been encrypted.
But unlike Hermes, Ryuk doesn’t have the same anti-analysis checks, has a different logic that handles file access, and uses a second, embedded public RSA key.
“Ryuk has two public RSA keys embedded in the executable, and what was previously the victim’s RSA private key is encrypted and embedded in the executable,” CrowdStrike researchers explained.
“Because Ryuk does not generate a victim-specific RSA key pair, all hosts can be decrypted with the same decryption key. This might appear to be a design flaw but is not, since Ryuk has a unique key for each executable. If a single executable is used for a single victim environment, then there are no repercussions if the private keys are leaked because it will only decrypt the damage from a single Ryuk executable. Thus, it is highly likely that Ryuk pre-generates the RSA key pairs for each victim. This is arguably more secure, since the victim’s system will never have access to the unencrypted RSA key pair parameters without paying the ransom.”
What’s special about Grim Spider?
The Grim Spider group has been operating the Ryuk ransomware since August 2018 and has been using it to target companies that have previously been compromised via the TrickBot Trojan.
Both CrowdStrike and FireEye researchers have noticed that the Ryuk deployment happens many months after the initial Trickbot infection.
“Despite this long dwell time, the earliest reports of Ryuk malware only date back to August 2018. It is likely that actors controlling Trickbot instances used to maintain access to victim environments prior to the known availability of Ryuk were monetizing this access in different ways,” FireEye researchers posited.
Before deploying Ryuk, the attackers are using the access achieved through TrickBot, the Empire backdoor or compromised RDP credentials to perform reconnaissance of the target’s network and to identify the most critical systems/hosts, which will later be infected with the ransomware.
The Grim Spider attackers aim to disrupt the targets’ business operations as much as possible, so that the victims are incentivised to pay the ransom.
The ransom amount varies from victim to victim: the lowest was for 1.7 BTC and the highest for 99 BTC.
The ransom note initially contained the Bitcoin wallet address to which the ransom was to be paid, but later the victims had to get in touch with the attackers via a provided email to receive that piece of information.
This is just the beginning
“Throughout 2018, [we] observed an increasing number of cases where ransomware was deployed after the attackers gained access to the victim organization through other methods, allowing them to traverse the network to identify critical systems and inflict maximum damage,” FireEye researchers say.
The researchers expect these operations to continue and increase in 2019 due the success these intrusion operators have had in extorting large sums from victim organizations.