Ryuk Ransomware is Back Again

Delaware, USA – January 3, 2019 – The last days of the year 2018 were extremely troubled for one of the biggest US’ media group. Ryuk ransomware seriously disrupted crucial production and printing processes, so the Sunday morning was clouded for the readers of printed newspapers. A Tribune Publishing spokesperson said that websites and mobile apps of its newspapers weren’t affected by the attack, but the print editions suffered disruption in printing and delivery due to ransomware attack.

Another ransomware attack happened a week ago. Adversaries penetrated Cloud hosting provider Data Resolution network through a hacked account and infected servers with Ryuk. The company shut down its network to stop the spreading of the malware and restore affected machines. Data Resolution said that there is no evidence that any data was exfiltrated, but attackers could use ransomware to wipe the traces of such activity.

Half a year ago, Ryuk ransomware was used in highly targeted attacks on enterprises worldwide and delivered more than $640 thousand to the threat actors. Its authors had access to the Hermes ransomware code used in the attack on Far Eastern International Bank to hide the theft of $60 million. Therefore, the Lazarus group is the main suspect in recent attacks.

We are keeping close track on Ryuk and updating Sigma rule for its detection as new indicators of compromise are discovered.
Ryuk Ransomware Detector: https://tdm.socprime.com/tdm/info/1379/