A ransomware virus that has efficiently infiltrated more than 100 government as well as private enterprises in the U.S. and globally has been identified in China, as per a recent Tencent Security report.
Dubbed Ryuk, the pernicious code focuses on “logistics companies, technology firms and small municipalities” with higher data value, insisting bounties upward of $5 million rewards in bitcoin, as per the Federal Bureau of Investigation (FBI).
In January, Ryuk was known to be behind a hack of Tribune Publishing, influencing all of the media conglomerate’s outlets. In June, authorities in Lake City, Florida spent a $ 460,000 ransom after the city’s computer systems went dark. This was two weeks after Riviera Beach, Florida’s $ 600,000 hijacking.
Ryuk is widely considered as a customized version of the Hermes virus, which debuted in August 2018. It advances through the usual botnet together with spam methods and infiltrates via undefended IP ports.
Once established, the malicious malware deletes almost all data associated with the intrusion and destroys antivirus processes, thereby obscuring the infection vector. In one case, however, FBI agents found evidence Ryuk registered through a Remote Desktop Protocols brute force attack.
The agency wrote in a Flash :
“After the assaulter has gained access to the victim network, additional network exploitation tools may be downloaded… once implemented, Ryuk establishes persistence in the registry, injects into running processes, seeks out network-connected file systems, and starts encrypting files .”
The virus also drops a “RyukReadMe” file that opens the blackmail letter on the victim’s web browser. The html webpage lists only the two hacker’s email addresses in the upper left-hand corner, the name of the virus in the middle of the page, and the cryptic phrase “balance of shadow universe” in the base right corner.
The FBI has been monitoring the virus since 2018 and have observed several alterations. It’s reported the Chinese version simultaneously runs a 32-bit and 64-bit blackmail module, that may enable further evolution of the bug.
It has not been unveiled how many Chinese ventures had been infected as of press time, or the total amount the hackers have ransomed.