Ryuk ransomware has been around for more than a year now. However, this cryptovirological strain only made it to the headlines at the end of 2018 when its operators launched a series of attack on several US news publications. Initially, it was believed that Ryuk is another assault from North Korean state actors.
The latest findings suggest that North Korean Intelligence Agency is not behind the Ryuk ransomware activity. Instead, it was a joint venture between two cybercriminal groups. It has also been asserted that the groups appear to be Russians or belong to the surrounding satellite states.
Ryuk: One of the Costliest Cryptovirological Exploit
The majority of cryptovirological strains are developed and launched to reap monetary benefits by targeting users and taking money from them to provide ransomware removal. Since Ryuk is not a part of any hybrid warfare from North Korea, therefore it’s now clear that its operators are also running it for the sole purpose of moneymaking.
According to the report furnished by McAfee, Ryuk might be the most costly cryptovirological exploit to date with respect to the extortion payments its operators have received. The report reveals that the average extortion payment of Ryuk activity is around $71,000. The targeted entities have to pay that money in cryptocurrency.
Ryuk Operators Leave Room for Bargaining
Many cryptovirological operators are quite inflexible on the amount of extortion. Ryuk operators, on the other hand, have taken a different approach. They are willing to readjust the extortion amount to provide the decryption key. It has also been reported that in many cases Ryuk operators have lowered their extortion demand for more than half. This bargaining tactic has played out well for them since many users are paying them instead of going for professional ransomware removal.
The Soviet Connection
Researchers have found several things that strongly point out that the involved organizations are from the Soviet region. For instance, they have found that Russian has been used in the encryption scripts. Moreover, the quotes from Lenin in some ransom notes also indicate that Ryuk operators have a strong connection with Russia or other post-Soviet states.
Customized Ransom Notes
Ryuk operators have also given a unique identity to their cryptovirological activity by working on customized ransom notes. Instead of using the same template in every attack, they use different language, text and the extortion amount. It shows that the operators might first do the prospecting of their targets. This is also the reason why they are so successful in collecting extraordinary amount in the name of ransom removal.
Ryuk ransomware is an active vector and professional ransomware removal experts are still trying to come up with its complete decryption solution.