Multiple researchers are linking the Ryuk ransomware that disrupted the operations of multiple U.S. newspapers in late 2018 to the Emotet and TrickBot trojans. In so doing, some analysts have now also shifted blame for the attack from North Korean actors to cybercriminals, possibly from Russia, while others maintain that attribution efforts are premature.
Crowdstrike, FireEye, Kryptos Logic and McAfee Labs each reported this week that the Dec. 29 attack against the Tribune Company was part of a greater cybercriminal scheme that already has collected more than $3.7 million by targeting large enterprise-environment organizations with Ryuk.
The ransomware typically arrives as the final stage in a chain of infections that starts with Emotet, which in turn yields TrickBot as a secondary payload. (However, FireEye says some organizations were instead directly infected with TrickBot.) Researchers have confirmed that the actors used phishing emails as an attack vector.
Generally, the attackers do not rely on TrickBot’s capabilities to automatically download Ryuk onto victims’ machines. Instead, they typically lay low at first, entering a latency period that lasts at least several months. Eventually, they manually resume activity, spreading laterally and performing reconnaissance via RDP connections tunneled through reverse-shells as well as via the Empire post-exploitation framework. If and when the victim looks to be a lucrative ransomware target, only then do the attackers strike with Ryuk.
FireEye refers to this operation, which dates back to August 2018, as TEMP.MixMaster, and blames the activity on an actor that Crowdstrike’s Falcon Intelligence unit refers to as Grim Spider. “Ryuk is only used by Grim Spider,” the unit asserts in its report.
Grim Spider is a subgroup of Wizard Spider, which Crowdstrike’s Falcon Intelligence unit says is the same group behind TrickBot. “Falcon Intelligence has medium-high confidence that the Grim Spider threat actors are operating out of Russia,” the Crowdstrike report states.
The premise that cybercriminals, potentially operating out of Russia, are actually behind the Ryuk attacks is a change from earlier speculation that operation was North Korea’s doing. This initial hypothesis was apparently derived from the observation that Ryuk is a modified version of Hermes, a ransomware allegedly used by North Korea’s Lazarus Group as a distraction strategy during a 2017 campaign to steal funds from a Taiwanese bank via the SWIFT banking network.
However, researchers note that the source code behind Hermes has long been available to buyers on the dark web. In fact, McAfee reported observing a Russian-speaking actor offering a Hermes 2.1 ransomware kit on an underground forum as far back as August 2017, prior to the Taiwanese bank incident.
“The most likely hypothesis in the Ryuk case is that of a cybercrime operation developed from a tool kit offered by a Russian-speaking actor,” the McAfee report concludes. “From the evidence, we see sample similarities over the past several months that indicate a tool kit is being used.”
And in its own report, Kryptos Logic chimed in: “While there is no evidence suggesting that North Korea isn’t working with Emotet actors, there is also little evidence to support that they are [as opposed to] annoyingly-timed attacks by actors who decided to interrupt the holidays.”
FireEye, too, said it found no evidence linking North Korea to the Ryuk attacks.