Ransomware linked to Lazarus Group still in the wild

The Ryuk cryptocurrency-targeting malware is still running rampant, despite efforts to bring it under control. The malware was found in more than 100 government and private-industry computer systems around the world over the past year, according to a report by the U.S. FBI, and has now set its sights on tech equipment in China.

Ryuk is a version of the Hermes virus, which was first found in August 2018. Both malware applications operate by using spam and botnets to infiltrate computer systems and then spread by attacking IP ports that are left unprotected. It was reportedly involved in a ransom scheme at Tribune Publishing this past January, as well as another attack on the city of Lake City, Florida, last month. The city was targeted only two weeks after another Florida city, Riviera Beach, paid a $600,000 ransom to regain access to its computer systems.

According to a report by Tencent Security, Ryuk is now in China. It is used to blackmail computer owners and a recent attack held a computer system hostage for 11 SegWitcoin (BTC), worth around $117,345 at today’s prices.

Tencent warns, “With the continuous expansion of the virus’s intrusion map, Tencent Security Threat Intelligence Center recently detected that the virus has been partially detected in China. Because the virus uses RSA+AES to encrypt user files and users cannot decrypt them temporarily, it reminds all government and enterprises to be vigilant. The ransomware can be intercepted by Tencent Computer Manager and Tencent Royal Terminal Security Management System.”

To help prevent future attacks, Tencent recommends companies close certain ports, such as 135, 139, 445 and others that are typically not used. They should also whitelist other ports that are required and only allow IP connections through those whitelisted ports.

These measures, as well as other security measures, will help contain the distribution of the virus, but won’t stop it completely. According to the FBI, Ryuk is coded in such a way that it can be easily modified to continue its existence. However, as a general rule of thumb, enterprise computer systems need to be locked down as tightly as possible and individual computer users need to avoid opening any email attachment or link unless they can completely verify the source.