Bitcoin-Seeking Ransomware Ryuk Virus Found and Studied in China

Published at: July 19, 2019

Tencent Yujian Threat Intelligence Center says that a Ryuk ransomware virus has been spotted in China.

The intelligence center released information on the outbreak in a report on July 16.

According to the report, Ryuk viruses are a family of malware aimed at infecting government and enterprise machines holding valuable data. According to the report, a Ryuk virus derives from the Hermes virus, with code that is directly modified off of the latter.

As noted in the report, Ryuk is the name of a death spirit in the popular manga Death Note. As per its title, Ryuk possesses a notebook that can be used to kill a person by writing their name on one of its pages.

Researchers at the intelligence center were reportedly able to capture and study the virus in action. According to the report, this virus came attached with a ReadMe note containing two email addresses. Upon replying to the first email address, the researchers received instructions and a ransom demand set at 11 Bitcoin.

The intelligence center advised personal users to run Tencent PC Manager and enable file backups, turn off Office macros, and to stay away from unfamiliar emails.

The report also referenced a number of Ryuk ransom cases. In the United States, for instance, the public administration of La Porte County, Indiana paid a $130,000 ransom to get rid of the virus. In Lake City, Florida, the local government paid a $460,000 ransom after Ryuk infected the city’s computer systems. 

As previously reported by Cointelegraph, research in January suggested that Ryuk originated in Russia. The virus was originally thought to have come out of North Korea, but McAfee Labs and Crowdstrike have suggested that Russia is the more likely source. According to these cybersecurity companies, Ryuk may in fact have come from the Russia-based group GRIM SPIDER.

Tags
Related Posts
Researchers Say Ransomware Attacks on the Rise as More People Work From Home
A study published by cybersecurity firm, Proofpoint, shows an increase in email-based phishing attacks used to deliver ransomware over the last few months. According to the report, first-stage deployments of ransomware are reportedly on the rise and have mostly been targeting the United States, France, Germany, Greece, and Italy. The attacks appear to be capitalizing on the influx of people now working from home amid the COVID-19 pandemic. Research additionally indicates that the ransom demands are very low compared to the amounts usually seen in these attacks. Lower than average ransoms A ransomware application called “Mr. Robot” has mostly targeted …
Technology / June 29, 2020
Celebrities May Have Their Dirty Secrets Exposed if Crypto Ransom Is Unpaid
The REvil ransomware gang says that they will auction over 1TB of data stolen from New York-based entertainment law firm, Grubman Shire Meiselas & Sacks. This data allegedly contains the “dirty” secrets of a number of celebrities. REvil claims that the contents involve sex scandals, drugs, and treachery. Nicki Minaj, LeBron James, and Mariah Carey among the alleged victims In a blog post, the ransomware group says they will begin the auction on July 1, noting that the first round will contain information from Nicki Minaj, Mariah Carey, and LeBron James. The price for each dataset is $600,000. Two days …
Technology / June 24, 2020
Hackers Use Fraudulent Unemployment Claims to Siphon Funds
A study by risk solutions provider, Kroll, indicated that a group of hackers from Russia managed to file fraudulent unemployment claims with the Washington State Employment Security Department, or ESD, through a ransomware attack against a healthcare provider in the US. According to research published on June 17, the firm investigated browser history logs that the cybercriminals reportedly navigated to various Gmail accounts. They then activated two profiles on the ESD site using these email addresses. International organized cybercrime groups appearing in the scene The ransomware attack, launched on May 12, is a Mamba category exploit which uses full disk …
Technology / June 18, 2020
Garmin Could Face Sanctions if $10M Ransom is Paid
Garmin, a multinational tech company, has been operating at less than full capacity following a ransomware attack launched by the Russian cybergang, Evil Corp. Garmin is being extorted for a $10 million ransom, to be paid in cryptocurrency. According to a report published by Bleeping Computer, an unidentified Garmin employee confirmed that the WastedLocker ransomware took down the company’s customer support services, navigation solutions, and other aspects of the U.S.-based firm. The leader of the cybercriminal group is a Russian individual named Maksim Yakubets. A known criminal, Yakubets was indicted by the U.S. Department of Justice in 2019. He was …
Technology / July 27, 2020
US Treasury Dept. Takes Action Against Two Iranians Allegedly Involved in BTC Ransomware
The U.S. Treasury Department has sanctioned two Iranians allegedly involved in Bitcoin (BTC) ransomware scheme SamSam, the Treasury reported in an official press release today, Nov. 28. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) has taken action on Wednesday against two Iranian individuals, Ali Khorashadizadeh and Mohammad Ghorbaniyan, who are accused of exchanging Bitcoin into Iranian rials (IRR). This is also the first time that Bitcoin addresses have been publically attributed to “designated individuals” on the OFAC’s sanctions list. According to the report, SamSam ransomware breaks into companies’ computer networks, allowing criminals to take over …
United States / Nov. 28, 2018