“Ryuk-ransomware is Russian-made.

Researchers from Crowdstrike, FireEye and McAfee Labs argue that the ransomware called Ryuk is made in Russia. Earlier it was thought that the ransomware had been developed and used by North Koreans. Silicon Angle, among others, writes about the findings.

Ryuk was discovered last summer and managed to capture $640,000 in two weeks’ time. Researchers then thought that the hackers were connected to Lazarus, a hacker group that is active from North Korea. Researchers are now saying, each in their own reports, that this is not the case. The ransomware would have been deployed by Russian hackers.

Larger process

The researchers point out, among other things, that an attack on several large American newspapers in December was similar to tools known to be used by Russian criminals. McAfee argues that North Korea was referred to earlier because there seemed to be shared code with the older Hermes-ransomware used in that country. But further investigation showed that Hermes himself is from Russia. North Korean hackers probably bought it on the dark web.

Some of the reports also state that the Ryuk infections were often delivered as the last stage of multiple infections. FireEye describes this as TEMP.MixMaster. The process begins with an infection by the Emotet banking malware, followed by TrickBot. Ryuk will follow after that.

Emotet was last in the news in October, when a water company in North Carolina said it got infected by Emotet, before Ryuk took their network hostage. Emotet is from Russia.

Months of waiting

The researchers also concluded that hackers often wait a long time to install Ryuk, sometimes even a few months. After the system is explored with remote desktop protocol connections, hackers wait until their victims are a lucrative enough target for the ransomware.

The group that Ryuk developed and deployed is estimated to have raised $2.48 million in bitcoins since Ryuk was first used in August.