It was all over the news. A server outage at a major newspaper publishing company on Saturday that prevented the distribution of many leading U.S. newspapers, including the Wall Street Journal, New York Times, Los Angeles Times, Chicago Tribune and Baltimore Sun.
An early, unnamed source revealed they found files with a .RYK extension, and it looks like this might be a targeted ransomware attack using the specialized Ryuk ransomware family. This strain is the latest incarnation of the earlier HERMES ransomware which is attributed to the capable and active Lazarus Group that operates out of a Chinese city just north from North Korea and reportedly controlled by the N.K. Unit 180 spy agency.
Unlike spray-and-pray ransomware, Ryuk is mainly used for tailored attacks very similar to SamSam, and its encryption scheme is specifically built for focused infections, such that only crucial assets and resources are encrypted in each targeted network, carried out manually by the attackers.
Security experts believe that the Ryuk crew targets and penetrates selected companies one at a time—charging exceptionally large ransoms—either via spear phishing, RDP connections, or other yet unknown penetration techniques. Ryuk is not decryptable at the time of this writing, and it is very hard to keep a determined state-sponsored “Advanced Persistent Threat” bad actor out of your network. You really need to practice defense-in-depth and even then…
Now, having said that, I admit it is in the early days and this attribution is more a gut-feel estimate rather than something proven by forensics. There are a lot of “false flag” operations going on, and someone else may have gotten hold of that code. Feels like N.K. though.
The infected publisher said in a statement Saturday that: “the personal data of our subscribers, online users, and advertising clients has not been compromised. We apologize for any inconvenience and thank our readers and advertising partners for their patience as we investigate the situation.”
Any organization today needs to have weapons-grade backup procedures in place to restore production systems that have been compromised. I’m sure that they are doing exactly that, there are some IT heroes pulling all-nighters out there I’m sure. Also, it could mean they decided not to pay the ransom, good for them!
Ryuk-HERMES Similarities Are Clear as Daylight
The connections are pretty obvious, shown by Check Point researchers which recently analyzed the two ransomware strains. They pointed at clear similarities between past Hermes strains and current Ryuk samples, which share large chunks of code:
Based Blockchain Network