Analysts believe that the Ryuk source code is largely derived from Hermes, which is a product of North Korea's Lazarus Group. However, that doesn't mean that the Ryuk attacks themselves were run from North Korea; McAfee believes that Ryuk was built on code purchased from a Russian-speaking supplier, in part because the ransomware will not execute on computers whose language is set to Russian, Belarusian, or Ukrainian. How this Russian source acquired the code from North Korea is unclear.
PureLocker is a new ransomware variant that was the subject of a paper jointly put out by IBM and Intezer in November 2019. Operating on either Windows or Linux machines, PureLocker is a good example of the new wave of targeted malware. Rather than taking root on machines via broad-range phishing attacks, PureLocker appears to be associated with more_eggs, a backdoor malware associated with several well-known cyber-criminal gangs. In other words, PureLocker is installed on machines that have already been compromised and are fairly well understood by their attackers, and then proceeds to make a number of checks on the machine where it finds itself before executing, rather than opportunistically encrypting data wherever it can.
While IBM and Intezer didn't disclose how widespread PureLocker infections were, they did reveal that most took place on enterprise production servers, which are obviously high-value targets. Because of the high-skill human control this kind of attack entails, Intezer security researcher Michael Kajiloti believes that PureLocker is a ransomware as a service offering that's only available to criminal gangs who can pay well up front.
Zeppelin was is an evolutionary descendent of the family known as Vega or VegasLocker, a ransomware-as-a-service offering that wreaked havoc across accounting firms in Russia and Eastern Europe. Zeppelin has some new technical tricks up its sleeve, especially when it comes to configurability, but what makes it stand out from the Vega family is its targeted nature. Where Vega spread somewhat indiscriminately and mostly operated in the Russian-speaking world, Zeppelin is specifically designed to not execute on computers running in Russia, Ukraine, Belarus, or Kazakhstan. Zeppelin can be deployed in a number of ways, including as an EXE, a DLL, or a PowerShell loader, but it appears that at least some of its attacks came via compromised managed security service providers, which ought to send a chill down anyone's spine.
Zeppelin began to appear on the scene in November 2019, and as more proof of its difference from Vega, its targets semeed carefully chosen. Victims were mostly in the health care and technology industries in North America and Europe, and some of the ransom notes were written to specifically address the infected target organization. Security experts believe the shift from Vega's behavior is the result of the codebase being used by a new and more ambitious threat actor, probably in Russia; while the number of infections isn't that high, some believe what we've seen so far has been a proof of concept for a larger set of strikes.
Sodinokibi, also known as REvil, first emerged in April of 2019. Like Zeppelin, Sodinokibi appeared to be the descendent of another malware family, this one called GandCrab; it also had code that prevented it from executing in Russia and several adjacent countries, as well as Syria, indicating that its origin is in that region. It had several methods of propagation, including exploiting holes in Oracle WebLogic servers or the Pulse Connect Secure VPN.
Sodinokibi's spread again indicated an ambitious command and control team behind it, probably as a ransomware as a service offering. It was responsible for shutting down more than 22 small Texas towns in September, but it truly hit notorious status on New Year’s Eve 2019 when it took down the UK currency exchange service Travelex, forcing airport kiosks to resort to pen and paper and leaving customers in limbo. The attackers demanded a stunning $6 million ransom, which the company refuses to confirm or deny it paid.
When I asked Juniper's Hahad for his pick for the worst ransomware of 2019, Sodinokibi was his choice, because of an extra twist that Sodinokibi's controllers put into their attacks. "The one thing that really makes this a little bit special is that this particular group has taken on a new approach of not only telling people, 'You're not going to get your data back if you do not pay the ransom,' but also, 'We are going to publish that confidential data on the web or sell it in an underground forum to whomever is the highest bidder.' That takes the ransomware approach to the next level in their business model." This is a huge departure from the usual ransomware model — after all, one of its big advantages is that you can lock down your victim's data without going through the difficult process of exfiltrating it — but they've already followed through on the threat at least once. The new era of hyper-targeted, custom-tailored ransomware appears to be reaching new and dangerous depths.