CATEGORY: Emerging Threat
Attackers using targeted ransomware work on the following methodology:
Successful acquiring of administrator privilege ensures enough damage by the ransomware that the victims have to pay 5-6 ﬁgure ransom for decryption of their ﬁles. Primarily, industries related to commodities, healthcare and manufacturing are being targeted. Ryuk shows close ties with the HERMES ransomware, a production of the North Korean Lazarus group.
Following is the ransom note found on encrypted computers.
Your network has been penetrated.
All ﬁles on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted or deleted or backup disks were formatted.
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation No decryption software is available in the public.
DO NOT RESET OR SHUTDOWN – ﬁles may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme ﬁles.
DO NOT DELETE readme ﬁles.
This may lead to the impossibility of recovery of the certain ﬁles.
To get info (decrypt your ﬁles) contact us at ????????@protonmail.com
BTC wallet: ???????????????????????????????? Ryuk
Ryuk demands ransoms of between 15 and 50 bitcoins (between $50,000 and $170,000), with the price escalating by 0.5 bitcoins every day the victim doesn’t pay.
System Access, Files encryption, Ransom payment
INDICATORS OF COMPROMISE
IP(s) / Hostname(s)
Malware Hash (MD5/SHA1/SH256)
Block all the threat indicators at their respective controls.