Stop the Presses: Don't Rush Tribune Ransomware AttributionNation-States and Cybercrime Gangs Keep Blurring; Tools Alone Don't Equal Actors
Don't rush to blame the publishing and printing outage at newspapers owned by Chicago-based Tribune Publishing on anything more than an organization failing to block a malware outbreak (see Suspected Ransomware Outbreak Disrupts US Newspapers).
On Saturday, Tribune said that all of its newspapers' print runs had been disrupted or delayed by a malware outbreak. The printing press troubles also disrupted the distribution of west coast editions of The New York Times and The Wall Street Journal.
"Ryuk is particularly nasty because there's historically been some actual forethought put into how to configure it to spread and encrypt servers on a specific network."
Various Tribune newspapers, including the Chicago Tribune and Los Angeles Times, reported that the outbreak involved crypto-locking Ryuk ransomware, which appeared to have been contained before it then managed to continue spreading, causing publishing headaches throughout the weekend.
The appearance of Ryuk led some media outlets to rush to connect the attribution dots and suggest that North Korea had attempted to disrupt U.S. newspapers. That's because Ryuk's code shares numerous similarities with Hermes ransomware, as software and hardware IT firm Check Point Software noted in a report released in August. The U.S. government later incorporated that information into its own alert about Ryuk.
"Our research led us to connect the nature of Ryuk's campaign and some of its inner-workings to the Hermes ransomware, a malware commonly attributed to the notorious North Korean APT Lazarus Group, which was also used in massive targeted attacks," Check Point says in its August report.
But Check Point emphasized that Ryuk's reuse of Hermes code proves nothing. "The current wave of targeted attacks using Ryuk may either be the work of the Hermes operators - the allegedly North Korean group - or the work of an actor who has obtained the Hermes source code," Check Point's report said.
Ryuk Hits Hard
One thing is clear: Since August, Ryuk has continued to pummel organizations, some of which have paid attackers a ransom to unlock their systems, which law enforcement experts recommend victims avoid whenever possible (see Connecticut City Pays Ransom After Crypto-Locking Attack).
In some cases, Ryuk appears to have been distributed by Emotet, formerly a banking Trojan. In July, Symantec warned that the group behind Emotet, which it calls Mealybug, had begun distributing malware for others, primarily to target U.S. organizations (see Malware Moves: Attackers Retool for Cryptocurrency Theft).
Security firm CrowdStrike, meanwhile, tells The New York Times that it believes that an Eastern European cybercrime gang is behind Ryuk, which it has seen being distributed by Trickbot malware, which may be related to Emotet.
The attacks by the group behind Ryuk, which calls itself Grim Spider, have been lucrative, netting it more than 100 bitcoins (over $380,000) this month alone, The New York Times reported on Sunday.
Tools Alone Don't Attribution Make
As Check Point's Ryuk analysis made clear, attacks cannot be attributed to a specific individual or organization based solely on an attacker's choice of tools.
"If you take a piece of data from an assessment (such as links to Hermes malware) and take it away from all the other data, then you cannot take the assessment with that piece of data," says Robert M. Lee, CEO of industrial cybersecurity firm Dragos, in a Monday blog post. "You cannot just simply look for Hermes malware to pop up and go, 'Yup that's Lazarus Group.' Further, links of Hermes to other malware families like Ryuk and thus attacks where Ryuk show up further complicate the issue. The more analytical leaps you make the less likely your assessment is going to be sound."
Lee is careful to note that hackers affiliated with North Korea may or may not have been behind a Ryuk outbreak at Tribune. Simply put, it's too soon to tell, and voicing vague hypotheses does no one any good.
"The only thing being highlighted in certain media outlets is transitive attribution because of links observed in different malware families," he says. "This is sloppy and will lead to numerous inaccuracies."
What is Lazarus?
Originally, Lazarus referred to TTPs - tactics, techniques and procedures, including toolsets, targets and attack infrastructure. But the concept of the Lazarus group has now expanded to encompass a variety of TTPs, campaigns and likely attack groups, some of which may cross over with other attack groups.
"We don't know what aspects of Lazarus might represent the operators, the developers, alliances with criminals or other states, etc.," Lee says via Twitter.
Lazarus is a combination of numerous intrusions and campaigns over years by various researchers and teams. The group has become conflated to represent anything North Korean. Some of the attribution for NK to Lazarus is impressive. But not all the intrusions tied to Lazarus are.— Robert M. Lee (@RobertMLee) December 31, 2018
Just because a particular tool gets used in an attack, however, that alone proves nothing about the attacker's identity or motivations. Many attackers may in fact be mercenaries, which provides plausible deniability for any nation-state employers. Others may be cybercrime gang members who moonlight as politically motivated hackers, or vice versa, as Robert Hannigan, the former head of GCHQ, highlighted in a keynote presentation at this year's Infosecurity Europe conference in June, in London.
For example, while both the U.S. and U.K. governments have officially attributed the 2017 WannaCry ransomware outbreak to the Pyongyang-based regime of what is officially called the Democratic People's Republic of Korea, many hallmarks of the attack made it look like a poorly tested cybercrime side project that may have gotten out of control (see Cybercrime Groups and Nation-State Attackers Blur Together).
At the same conference, Zeki Turedi, a technology strategist at CrowdStrike, likewise told me that investigators were finding increasingly "blurred lines between statecraft and criminal organizations" (see Nation-State and Cybercrime Gangs: Lines Blur).
Two Ransom Note Variations
So far, however, it's not even clear if Ryuk is the work of just one group.
Check Point in August, for example, reported seeing two different Ryuk ransom notes: "A longer, well-worded and nicely phrased note, which led to the highest recorded payment of 50 BTC [worth about $150,000 as of Monday], and a shorter, more blunt note, which was sent to various other organizations and also led to some fine ransom payments ranging between 15-35 BTC [worth up to $100,000]," it says. "This could imply there may be two levels of offensive."
Last month, Beazley Breach Response Services reported that attackers wielding Ryuk and BitPaymer have been demanding the biggest ransoms, compared to all other ransomware-using gangs.
They appear to be seeing a massive payday. One cryptocurrency wallet address used in a Ryuk campaign has earned more than $620,000 in bitcoin ransom payments, including a single payment of 100 BTC (about $380,000), says Bill Siegel, CEO of ransomware incident response firm Coveware. "Unlike GandCrab or Dharma, the Ryuk groups are after higher ransoms from a smaller number of attacks," he tells me.
'Criminal Money-Making Tool'
As those earnings highlight, security expert Lesley Carhart, a digital forensic investigator at Dragos, says Ryuk has historically been used not as a nation-state disruption tool, but rather as a "criminal money-making tool."
But if the Tribune disruption does trace to Ryuk, "the narrative we're likely going to see for the next few weeks is, 'DPRK Attacks US News Infrastructure' - and while that statement may be technically correct, it misses a lot of nuance, may lead to faulty assumptions, and doesn't really help infosec," Carhart says via Twitter.
Regardless of the motive in the Tribune outbreak, one takeaway for all organizations is that they must ensure they have the correct defenses in place to not only spot and quickly recover from ransomware, but also to block modes of ingress being used by more advanced ransomware cybercrime gangs.
Don't get me wrong. Ryuk is particularly nasty because there's historically been some actual forethought put into how to configure it to spread and encrypt servers on a specific network. But standard ransomware mitigations, planning, and vulnerabilities still apply ...— Lesley Carhart (@hacks4pancakes) December 30, 2018
Indeed, cybercrime gangs are increasingly buying stolen or brute-forced remote desktop protocol credentials and using them to remotely log into targeted systems and distribute ransomware, potentially after having first ransacked systems for any valuable information data (see Ransomware Keeps Ringing in Profits for Cybercrime Rings).
Such is the case with Ryuk attacks, which are "highly targeted, well-resourced and planned," according to the August advisory by the U.S. Department of Health and Human Services' cybersecurity program (see Alert: 'Ryuk' Ransomware Attacks the Latest Threat). Victims are targeted and "only crucial assets and resources are infected in each targeted network."
This blog has been updated with comment from Coveware.