Major ransomware attack Ryuk suspected to be the work of Russians

Criminal group may be to blame

Major ransomware attack Ryuk suspected to be the work of Russians

Cyber

By Lyle Adriano

The ransomware attack that affected major US newspaper companies last year has been attributed to Russian cyber criminals.

The so-called “Ryuk” ransomware affected printing centers operated by Tribune Publishing and the Los Angeles Times last August, delaying distribution of the publications. Initially, the attack was attributed to North Korean state-sponsored hackers, since similar malware was deployed by Pyongyang-backed cyber attackers on the Far Eastern International Bank (FEIB) in Taiwan in 2017.

However, cybersecurity firms Crowdstrike, FireEye, Kryptos Logic, and McAfee have come to the conclusion that a Russian criminal group known as Grim Spider carried out the attack.

ZDNet reported that Grim Spider appears to have purchased the Hermes ransomware from a hacking forum, later tweaking the malware into what would be later known as Ryuk. The 2017 North Korean hackers were also suspected of purchasing the same ransomware kit, hence the initial confusion regarding who was responsible for the attack.

CrowdStrike suspects Grim Spider to be a sub-division of a much larger criminal operation called Wizard Spider, an organization that the cybersecurity company says is responsible for the TrickBot banking Trojan.

The cybersecurity firms explained that many of the ransomware victims were first infected with the TrickBot malware before Ryuk was deployed on their systems. It is believed that TrickBot operators mounted large spam campaigns to infect numerous victims, and then selected infected computers they found were connected to the networks of large companies and/or government organizations to infect further with Ryuk.

 

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!