The mischievous Ryuk: Combatting the ‘Death Note’-inspired ransomware
As the Ryuk ransomware continues to wreak havoc, tracking ransomware payments has become critical in stopping criminals from cashing out.
There is still an element of the crypto “Wild West” in 2020, as cryptocurrency stolen through hacks and ransomware attacks is still being cashed out on major exchanges around the world. Ransomware attacks have proved to be a lucrative cash cow for cybercriminals over the past few years, with the United States Federal Bureau of Investigation estimating that over $144 million worth of Bitcoin was stolen between October 2013 and November 2019.
A press conference held by the FBI in February revealed the huge amount paid out in ransom to attackers by victims that were desperate to regain access to their infected systems and data. Interestingly enough, attackers received the majority of ransoms in Bitcoin (BTC). More recently, researchers took a sample of 63 ransomware-related transactions, accounting for around $5.7 million of stolen funds, and found that over $1 million worth of Bitcoin was cashed out on Binance following a string of transactions across various wallet addresses.
There are a number of notorious ransomware variations that are used by different hackers and cybercriminal groups. Cybersecurity firm Kaspersky highlighted the uptick in these types of attacks targeting larger organizations in July, outlining two particular malware threats: VHD and Hakuna MATA.
These particular threats seemingly pale in comparison with the amount of cryptocurrency stolen through the use of bigger malware threats such as the Ryuk ransomware. So, here’s why Ryuk has been a preferred method of attack and what can be done to prevent and discourage attackers from cashing out their ill-gotten gains on major exchange platforms.
The Trojan at the city gates: Ryuk
These newer vectors of attack mentioned in Kaspersky’s July report have not quite garnered the same reputation as the Ryuk ransomware. Toward the end of 2019, Kaspersky released another report that highlighted the plight of municipalities and cities that have fallen prey to ransomware attacks. Ryuk was identified by the firm as the favored vehicle of attacks on larger organizations, with governmental and municipal systems being prime targets in 2019.
Ryuk first appeared in the second half of 2018 and brought havoc as it spread through computer networks and systems around the world. Named after popular character Ryuk from the manga series Death Note, the malware is a clever take on the “King of Death,” who amuses himself by delivering a “death note” to the human realm that allows the note’s finder to kill anyone by simply knowing their name and appearance.
The malware is typically delivered in a two-phase approach that allows the attackers to examine the network first. This usually begins with a large number of machines receiving emails containing a document that users may unwittingly download. The attachment contains an Emotet Trojan malware bot that activates if the file is downloaded.
The second stage of the attack sees the Emotet bot communicate with its servers to install another piece of malware known as a Trickbot. This is the piece of software that allows attackers to carry out a probe of the network.
If the attackers hit a proverbial honey pot — i.e., a network of a big business, governmental or municipal office — the Ryuk ransomware itself will be deployed across different nodes of the network. This is the vector that actually encrypts system files and holds that data for ransom. Ryuk encrypts local files on individual computers and files shared across a network.
Furthermore, Kaspersky explained that Ryuk also has the capability of forcing other computers on the network to switch on if they’re in a sleep mode, which propagates the malware across a larger number of nodes. Files located on computers on a network that are asleep are typically unavailable for access, but if the Ryuk malware is able to wake those PCs up, it will encrypt files on those machines as well.
There are two main reasons why hackers look to attack governmental or municipal computer networks: First, many of these systems are protected by insurance, which makes it far more likely that a monetary settlement can be reached. Second, these bigger networks are intrinsically tied together with other large networks, which can lead to a far-reaching, crippling effect. Systems and data powering completely different departments can be affected, which calls for a swift solution, more often than not resulting in a payment to the attackers.
Combatting cashing out on major exchanges
The end goal of these ransomware attacks is pretty simple: to demand a large payment, typically made using cryptocurrencies. Bitcoin has been the favored payment option for attackers. The use of the preeminent cryptocurrency as the preferred payment method has an unintended consequence for attackers though, as the transparency of the Bitcoin blockchain means that these transactions can be tracked at both a micro and a macro level.
That is exactly what researchers have been doing, and by looking at the endpoint of these transactions, analysts can see attackers making use of some of the biggest cryptocurrency exchanges. At the end of August, it was revealed that over $1 million worth of ransomed Bitcoin has been cashed out through Binance.
Binance’s security team revealed to Cointelegraph that these transactions were over 18 months old and that the exchange has been actively monitoring the relevant accounts. The team also highlighted the use of its exchange by attackers as being a byproduct of the sheer volume of cryptocurrency traded on the platform, which gives illicit actors more of a chance to blend into the crowd. The spokesperson added:
“This is further complicated by the fact that Binance has a wide variety of customers operating on its platform, with some customers receiving such funds through simple peer-to-peer trades, and others receiving through corporate services which leverage our platform for liquidity.”
Cointelegraph reached out to Israel-based cybersecurity firm Cymulate to learn what exchanges can do to better prevent cybercriminals from using their platforms to liquidate stolen cryptocurrency. Avihai Ben-Yossef, the company’s co-founder and chief technology officer, contends that companies that provide antivirus protection and endpoint detection and response have a vital role to play in tracking ransomed crypto, given that they know the amounts paid out and the respective wallet addresses receiving the ransomed funds. He added that from there, exchanges can track and trace these payments:
“Analysts can collect wallet numbers and check how much money is in each wallet and then create a sum of all of the found wallets. It’s important to note that there will always be more and that you need to be able to track each one from the Ryuk payloads created.”
There is no doubt that this can be a time-consuming process. Nevertheless, the use of wallet addresses by attackers to receive ransomed funds makes it possible for security teams to keep an eye on the movement of those funds.
Overall, 2020 has been a profitable year for cybercriminals who have made use of ransomware attacks, which have been constantly evolving. Ben-Yossef cautioned organizations and companies to ensure they have the best cybersecurity to combat the constantly changing cybercrime environment:
“Ransomware attacks in general are becoming more and more sophisticated. They include lateral movement, data exfiltration and many more methods that have serious consequences to companies that won’t pay the ransom. There’s a new successor to RYUK, Conti, which is written a bit differently and most likely developed by other hackers. It’s become critical for organizations to adapt security testing tools such as breach and attack simulation to ensure their security controls are working to their optimal effectiveness against emerging threats.”
By GARETH JENKINSON