A ransomware virus has been affecting more than 100 government and private enterprises in the U.S. and internationally gets detected in China, according to a recent Tencent Security report.
Dubbed as Ryuk, this pernicious code targets “logistics companies, technology companies and small municipalities” that have high data value. They demanded bounties upwards of $5 million paid in bitcoin, as per the Federal Bureau of Investigation (FBI). Ryuk was blamed to be behind the hack of Tribune Publishing in January, that affects all of the media conglomerate’s outlets.
Officials in Lake City, Florida paid out a $460,000 ransom in June following the city’s computer systems went dark. The incidence occurred two weeks after Riviera Beach, Florida’s $600,000 hijacking. Ryuk is believed to be a modified version of the Hermes virus that debuted in August 2018.
The virus spreads through the usual botnet and spam methods and infiltrates through undefended IP ports. Upon installation, the malware deletes all files related to the intrusion, killing antivirus processes and obscuring the infection vector. However, FBI agents found evidence that in one case, Ryuk entering through a Remote Desktop Protocols brute force attack.
The agency wrote in a Flash:
“After the attacker has gained access to the victim network, additional network exploitation tools may be downloaded… once executed, Ryuk establishes persistence in the registry, injects into running processes, looks for network connected file systems, and begins encrypting files.”
A “RyukReadMe” file is dropped by the virus when the blackmail letter is opened on the victim’s internet browser. The HTML webpage lists only the two hacker’s email addresses in the upper left-hand corner, the name of the virus in the center of the page, and the cryptic phrase “balance of shadow universe” in the bottom right corner.
The FBI has been tracking the virus since 2018, noticing a number of modifications. Reportedly, the Chinese variant simultaneously runs a 32-bit and 64-bit blackmail module, enabling the bug to further evolve. Though the number of Chinese enterprises infected or the total amount that was ransomed wasn’t disclosed as of press time.