Ryuk: What does the helpdesk tell us?

Cybercrime is the only criminal channel that provides a helpdesk. An amusing side note in the world of digital crime, and whilst considerable efforts have been taken to understand what the code infers about the source of attacks, very little is done regarding the administrative support provided by the malicious actors.

In the case of ransomware this is a significant omission, since we have witnessed notable investment by malicious operators to ‘support’ victims to encourage payment. Equally, in the case of Ryuk we are dealing with a ‘targeted’ form of ransomware aimed at organizations as opposed to the simple ‘fire and forget’ approach we see in untargeted campaigns.

No More Ransom

In 2016 the industry rallied around a common goal to combat ransomware under the No More Ransom initiative. Whilst the public face of this initiative is the portal nomoreransom.org where almost 100 decryption tools are provided freely to anyone who may have the misfortune of being a victim of ransomware, the initiative is a true collective of organizations and law enforcement agencies combatting ransomware and those behind such cowardly attacks.

Leveraging the expertise of supporting No More Ransom partner Coveware, this research is able to highlight some findings that allow us to draw conclusions about those behind the recent Ryuk campaign.

Show me the money

As has been documented previously, the ransom demand for Ryuk far exceeds the payments of other strains. As detailed by CheckPoint in August 2018, there were “two versions of ransom notes were sent to victims; a longer, well-worded and nicely phrased note, which led to the highest recorded payment of 50 BTC (around $320,000), and a shorter, more blunt note, which was sent to various other organizations and also led to some fine ransom payments ranging between 15-35 BTC (up to $224,000).

This begs the question, or rather the response; “Huh?”

Why would there be two notes? Perhaps we can classify one as an Enterprise ransom, and one for SMBs? Okay, unlikely. However additional research does show us that in this case there are two approaches by the operators, one in which the ransomware operators were willing to negotiate and another case where there was no willingness to do so.

It should also be noted that victims who pay the Ryuk ransom receive a decrypter that is full of faults and errors and runs a very high risk of destroying the stolen files forever.

Two groups? Or just an off-day?

Whilst the response may simply indicate different helpdesk operatives with varying approaches toward extortion, other evidence detailed in the research points to the feasibility that there are two groups conducting the campaign. To clarify, this should read as ‘at least’ two groups. Whilst this should not come as a huge surprise, since many ransomware campaigns employ models that support the development and deployment of malicious campaigns by others, this does seem different than the as-a-service model.

Taking the likes of GandCrab for example, in which affiliates can sign up and tailor their own campaigns, it would appear that Ryuk has two groups which have closer affinity than we would see in a typical as-a-service based campaign.

What does this mean?

Perhaps this is the emergence of a new ransomware distribution model? Or rather such campaigns have been in existence for some time, and a new approach has simply revealed this to the industry is probably more likely. Ryuk should be of particular concern not only due to the exorbitant sums demanded, but rather their very targeted nature. Equally the willingness to pay from victims demonstrates a clear RoI and we can expect further campaigns and continued innovation.

Acknowledgments to John Fokker and Alexandre Mundo from McAfee ATR in collaboration with Bill Siegel and Alex Holdtman from Coveware.

Don't miss