Ryuk Ransomware That Hit U.S. Newspapers Not State-Sponsored

According to reports from several cybersecurity firms, the Ryuk ransomware that reportedly recently disrupted operations at several U.S.-based newspapers is run by cybercriminals, not state-sponsored actors.

Some online sources have attributed the Ryuk ransomware to North Korea, but according to the new research, it’s more likely run by a Russian cybercriminal gang. The program is based on another ransomware threat called Hermes that’s been available for sale on underground forums since 2017.

Ryuk has been in use since August 2018, predominately against high-value enterprise targets, earning its creators $3.7 million in ransom payments.

The attribution confusion appears to have been caused by the fact that a variant of Hermes was used in an attack against the Far Eastern International Bank (FEIB) in Taiwan in October 2017, an attack that was attributed to the North Korea-linked Lazarus group.

When news broke over the Christmas holiday that a Ryuk infection impacted the print editions of several newspapers connected to the Tribune Publishing media group, some analysts made the Hermes connection and pointed the finger at North Korea.

However, security firm CrowdStrike disagrees and believes that Ryuk is only operated by a cybercriminal group called Grim Spider, which is a cell of another group called Wizard Spider that runs the TrickBot banking malware. In fact, Ryuk is often distributed by TrickBot on infected computers, which is itself distributed through via spam emails or another trojan called Emotet.

“Falcon Intelligence has medium-high confidence that the GRIM SPIDER threat actors are operating out of Russia,” the CrowdStrike researchers said in a report. “Hermes was originally advertised on exploit[.]in. This Russian-speaking forum is a well-known marketplace for selling malware and related services to criminal threat actors. If Hermes was indeed related to STARDUST CHOLLIMA [Lazarus], it would imply that nation-state threat actors are selling their services on Russian-speaking forums, which is unlikely.”

CrowdStrike’s analysis is supported by similar reports released last week by FireEye, Kryptos Logic and McAfee.

Serious Vulnerabilities Found in SCP Clients

Harry Sintonen, a researcher at F-Secure, has found serious vulnerabilities in several implementations of the SCP (Secure Copy) protocol that allows a malicious server to modify or overwrite files on client computers.

SCP works over SSH (Secure Shell) and allows transferring files securely between a client computer and a remote server. It has its roots in the 1983 RCP protocol and that’s where most of these flaws originate from.

One vulnerability, CVE-2018-20685, stems from improper validation of directory names received from the server and allows the server to modify the permissions of the target directory on the client.

The second vulnerability, CVE-2019-6111, is caused by a lack of proper object validation and potentially allows a server to overwrite a file inside the client target directory. If the operation is performed recursively, it can overwrite files in subdirectories as well.

The final two flaws, CVE-2019-6109 and CVE-2019-6110, allow the server to spoof the output seen by the client and potentially hide the output of an attack.

Used together, the vulnerabilities can, for example, be exploited to place malicious commands in the .bash_aliases files on the client. These commands will be automatically executed when the user opens a new shell. Another attack could involve modifying the .ssh/authorized_keys file and adding a key controlled by the attackers.

These attacks can be executed through a malicious or compromised server against SCP clients, but can also be executed from a man-in-the-middle network position.

OpenSSH, the default SSH and SCP client software on most Linux distributions is affected, and so are the PuTTY and WinSCP clients. Updates are available for WinSCP, but not for PuTTY and a manual patch was provided by Sintonen and linked in his advisory.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin