Hermes first gained publicity in October 2017 when it was used as part of a sophisticated SWIFT attack against the Far Eastern International Bank (FEIB) in Taiwan.Ĭode similarities include the fact that Ryuk’s encryption logic resembles that found in the Hermes ransomware, the researchers said.
#Lazarus group apt code#
However, its code has notable similarities to the Hermes ransomware, a malware commonly attributed to the Lazarus Group. While the operation is sophisticated, the ransomware’s technical capabilities are relatively low, Check Point found. “Almost each malware sample was provided a unique wallet and shortly after the ransom payment was made, the funds were divided and transmitted through multiple other accounts.” Connections to Hermes
“Ryuk ransomware has not been widely distributed… it has only been used in targeted attacks, which makes it a lot harder to track the malware author’s activities and revenues,” Check Point analysts said. A second note is for the less lucrative victims, featuring a blunter note. One is longer, “well-worded and nicely phrased,” according to Check Point, and used for organizations slapped with higher ransom requests. The attackers are tailoring their communications approach to the victims too, including using two different ransom notes. “Some organizations paid an exceptionally large ransom,” they noted. Researchers said that the attackers are asking for varied sums in return for file decryption, depending on the target - ranging from 15 BTC to 50 BTC (roughly $96,000 to $320,000). “In fact, its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers.” “Unlike the common ransomware, systematically distributed via massive spam campaigns and exploit kits, Ryuk is used exclusively for tailored attacks,” Check Point researchers said in a post on the code, today. So far, the ongoing campaign has netted $640,000 for the threat actors. Over the past two weeks, the Ryuk ransomware has encrypted hundreds of PCs, storage and data centers in each of the companies that it’s infected, according to Check Point, including within three high-value enterprises in the U.S.
A targeted new ransomware has burst on the scene, attacking well-chosen, targeted organizations worldwide with a highly sophisticated operation that may be linked to a well-known APT actor.
0 kommentar(er)
