An examination of the malware gang’s payments reveals insights into its economic operations.
The Ryuk ransomware has earned its operators an estimated $150 million, according to an examination of the malware’s money-laundering operations.
Joint research released this week from Brian Carter, principal researcher at HYAS, and Vitali Kremez, CEO at Advanced Intelligence, took a the look under the Ryuk hood concerning the business operations of the group. The two were able to trace payments involving 61 Bitcoin deposit addresses attributed to the Ryuk ransomware.
“The Ryuk criminals send a majority of their Bitcoin to exchanges through an intermediary to cash out,” the researchers explained. This “well-known broker” essentially collects Bitcoin payments from ransomware victims and then exchanges them for fiat currency – traditional paper money – for the Ryuk gang.
“These payments sometimes amount to millions of dollars and typically run in the hundreds of thousands range,” the researchers said. “After tracing Bitcoin transactions for the known addresses attributable to Ryuk, the authors estimate that the criminal enterprise may be worth more than $150 million.”
In terms of the exchanges used for this process, the researchers traced the cash-outs to large, legitimate exchanges Huobi and Binance, both of which are located in Asia. Carter and Kremez said that the exchanges’ business practices allow users to maintain some level of anonymity.
“Huobi and Binance are interesting choices because they claim to comply with international financial laws and are willing to participate in legal requests, but are also structured in a way that probably wouldn’t obligate them to comply,” the researchers said. They added, “both exchanges require identity documents in order to exchange cryptocurrencies for fiat currency or to make transfers to banks, however it isn’t clear if the documents they accept are scrutinized in any meaningful way.”
Aside from the two legitimate exchanges, Carter and Kremez’ examination also uncovered large pools of cryptocurrency being cashed out using a collection of addresses that do not appear to be linked to established exchanges. These “probably represent a crime service that exchanges the cryptocurrency for local currency or another digital currency,” researchers noted.
The analysis also found that Ryuk operators typically use two unique Protonmail addresses for each victim in order to communicate.
“Ryuk doesn’t currently use a web-based chat like many other ransomware operations do,” the researchers noted, which has allowed them some limited visibility into how the Ryuk operators interact with their victims.
In analyzing the correspondence, “it’s painfully clear that the criminals behind Ryuk are very business-like and have zero sympathy for the status, purpose or ability of the victims to pay,” they noted. “Sometimes the victims will attempt to negotiate with Ryuk and their significant offers are denied with a one-word response. Ryuk did not respond or acknowledge one organization that claimed to be involved in poverty relief and lacked the means to pay.”
Carter and Kremez also found evidence of significant reconnaissance activity when it came to victim selection, by way of “precursor malware families” that evaluate how lucrative an organization may prove to be as a target.
These malware families “are used to create a score for the victim,” the researchers explained. “For example, the number of domain trusts is one significant indicator that is collected automatically by precursor malware that is observed prior to a Ryuk incident. This score is then used to identify victim networks that would be the most likely to pay a large ransom.”
In all, a picture emerges of a crime group that functions with an eye toward ROI.
“Some of these ransomware families are operated by successful and disciplined criminal enterprises that function like any technology-focused business with developers, testers and recruiters,” the researchers said.
As for avoiding infection, most ransomware is loaded by an initial “dropper” malware that acts as the tip of the spear in any attack; these include Emotet, Trickbot, Qakbot and Zloader, among others. The researchers said that an effective defense thus should involve developing countermeasures that will prevent that initial foothold.
Top ways to do this, according to the post, are to restrict execution of Microsoft Office macros to prevent malicious macros from running; and making sure that all remote-access points are up-to-date and require two-factor authentication (2FA); and limit the use of remote-access tools such as Citrix and Microsoft RDP should be limited to a specific list of IP addresses and only when required.
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.