Delaware, USA – August 21, 2018 – Researchers from Checkpoint analyzed the ongoing ransomware campaign targeted enterprises worldwide. During the campaign, attackers infect critical infrastructure of large companies with the Ryuk ransomware and demand a significant amount of ransom in bitcoins. At the moment, it is known about three affected companies that paid the ransom delivering more than $640,000 to the attackers. Ryuk ransomware is based on the Hermes code that was used by the Lazarus group in last year’s attack on Far Eastern International Bank to hide the theft of $60 million. Now the attackers use the malware for bitcoin payment, the researchers believe that Lazarus group carefully plan these attacks, as adversaries get access to the organization’s network and then manually install the ransomware on crucial infrastructure systems. In each case, they use another bitcoin wallet and another amount of ransom payment: depending on the organization’s size the amount varies from 15 to 50 BTC.
It is also worth noting the campaign that distributes the new version of Matrix ransomware. Attackers brute-forcing RDP connection and install malware on the maximum number of systems. While encrypting, the Matrix ransomware sends information about its progress to the C&C server, and it tries to encrypt as many files as possible, so it is possible to detect signs of the attack and shut down infected systems before all the files are encrypted and shadow copies are deleted. To identify such attacks before locking your files, you can leverage your SIEM tool and Ransomware Hunter rule pack from Threat Detection Marketplace: https://my.socprime.com/en/integrations/ransomware-hunter-arcsight