Ryuk Ransomware Profits: $150 MillionResearchers Track Funds in 61 Cryptocurrency Wallets
Researchers say cryptocurrency wallets used by the operators behind the Ryuk ransomware strain and the gang's affiliates hold more than $150 million.
Brian Carter, principal researcher at security firm HYAS, and Vitali Kremez, CEO of Advanced Intelligence, report that they have identified 61 bitcoin addresses that the Ryuk cybercriminal gang and its affiliates use to receive ransomware payments from victims.
Two of the bitcoin exchanges the group uses for transferring funds are Asia-based Huobi and Binance, the researchers say in a new report. The group also uses lesser-known exchanges.
A January 2020 report by blockchain analysis firm Chainalysis found that the Huobi and Binance cryptocurrency exchanges are part of a shadow network that helps convert illegally gotten bitcoins and other virtual currencies into cash. These two exchanges also appear to circumvent anti-money laundering and “know your customer” rules (see: How Cybercriminals Are Converting Cryptocurrency to Cash).
"Ryuk receives a significant amount of their ransom payments from a well-known broker that makes payments on behalf of the ransomware victims," the research report, released Thursday, notes. "These payments sometimes amount to millions of dollars and typically run in the hundreds of thousands range. After tracing bitcoin transactions for the known addresses attributable to Ryuk, the authors estimate that the criminal enterprise may be worth more than $150 million."
The operators behind Ryuk, a crypto-locking malware variant that has been active since 2018, target large-scale enterprise systems as well as local and state government agencies. A 2020 report by ransomware incident response firm Coveware found that the Ryuk gang and its affiliates had started doubling their ransom demands, with a $780,000 average payment from victims (see: Ryuk and Sodinokibi Surge as Ransom Payments Double).
The researchers note Ryuk and its affiliates have been successful in extracting large ransom demands because of their use of precursor malware, which is deployed by the group as a first-stage attack to gain an initial foothold and analyze the ransom-paying capabilities of its victims.
"For example, the number of domain trusts is one significant indicator that is collected automatically by precursor malware that is observed prior to a Ryuk incident. This score is then used to identify victim networks that would be the most likely to pay a large ransom," the report notes.
The precursor malware the Ryuk gang uses includes Emotet, Zloader and Qakbot, among others, according to the report.
The Ryuk operators have also been using the Trickbot botnet to deliver their ransomware to compromised devices and networks. Some security analysts, however, have noted that cybercriminals may have started scouting for alternatives to Trickbot after Microsoft launched a campaign to dismantle its infrastructure last year (see: Microsoft Continues Trickbot Crackdown ).
In October, security firm Sophos found the Ryuk group was relying on a malware-as-a-service tool - the Buer loader - to deliver the malware, rather than botnets such as Trickbot and Emotet (see: Ryuk Ransomware Delivered Using Malware-as-a-Service Tool)
The report notes that ransomware groups are targeting more organizations that lack adequate countermeasures to prevent the initial foothold obtained by precursor malware. The researchers say organizations can take several steps to help prevent Ryuk attacks, including:
- Restrict execution of Microsoft Office macros to prevent malicious macros from running in their environment;
- Ensure that all remote access points are up to date and enable two-factor authentication;
- Limit the use of remote access tools, such as Citrix and Microsoft Remote Desktop Protocol, to help reduce the exposure to a specific list of IP addresses.
Ryuk has been tied to several high-profile security incidents over the last several months.
These include attacks on French IT services firm Sopra Steria in October and Philadelphia-based eResearchTechnology, which provides clinical trial oversight software to drugmakers and testing firms, in September.
In October, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency sent out an emergency alert after a number of hospitals and healthcare facilities sustained Ryuk ransomware attacks (see: US Hospitals Warned of Fresh Wave of Ransomware Attacks).