The identity of notorious ransomware, Ryuk, which has attacked a significant number of high profile organisations, seems to have discovered after a new interesting development.
Cheesy Death Note
Ryuk, rapidly emerged last year on the radar of many organisations which had their information crippled and encrypted by a mysterious group known as GRIM SPIDER. The group was earlier believed to be an organized security industry in North Korea because of Ryuk’s similarity with another popular ransomware named Hermes; however, the assumption has been discarded.
With a cheesy taste in names, the group has been deduced to be a good fan of manga and Japanese anime characters rather than a taste in ‘national revenge.’ Ryuk, as the name of the ransomware goes, is a fictional character in Japanese manga sour in boredom and who seeks excitement by dropping death notes for its victims—(Lakeith Stanfield sounds familiar?)—who in turn scribble enemies they want dead in a supernatural notebook.
GRIM Spider has been distributing ‘death notes’ since last year, freezing backups and databases, while demanding payment in digital currencies. The group notably attacked a big Canadian food chain last year, December, and explicitly asked for payments in Bitcoins (BTC). The group in its message to the restaurant Chain, Recipe Unlimited, warned that it had exploited a major security gap in the restaurant systems and encrypted the company’s files “with the strongest military algorithms.”
“The final price depends on how fast you write us,” the message read, with each delay causing an additional ransom fee of +0.5 BTC.
GRIM SPIDER has now, over time, focused its attention on large companies and government institutions. After employing email phishing campaign methods to infect thousands of intended victims with a banking Trojan called TrickBot, the group would selectively choose infected machines that fit important profiles and launch the second phase of the attack.
The second phase involves locking of victims hard drives and encrypting it till the victims pay the required ransoms in Bitcoin. The ransom demanded is set to differ by a target, and according to research by McAfee & CrowdStrike, the group has possibly eclipsed the reported $3.7 million (705 BTC) made. CrowdStrike reported:
“To date, the lowest observed ransom was for 1.7 BTC, and the highest was for 99 BTC. With 52 known transactions spread across 37 BTC addresses (as of this writing), GRIM SPIDER has made 705.80 BTC, which has a current value of $3.7 million (USD). With the recent decline in BTC to USD value, it is likely GRIM SPIDER has netted more.”