The ransomware attack that recently hit Tribune Publishing was perpetrated by an independent crime organization, rather than a nation-state, McAfee announced Wednesday. The Ryuk ransomware was initially thought to be perpetrated by North Korea, but McAfee concluded that it appears to have been developed from a toolkit by a Russian operator.
Ryuk is ransomware that hits high-value targets who can’t afford to be taken offline for large chunks of time. The name ‘Ryuk’ is fitting because it is taken from the Japanese manga character that “drops a death note” and the targets of the ransomware are dropped ransom notes for hefty Bitcoin sums. In this case, it effected the distribution of various Tribune Publishing outlets and the print processes of others. The L.A. Times reported that the attack was caused likely to disrupt infrastructure as opposed to stealing information.
The initial attribution to North Korea was due to past research that compared the Ryuk code with the older Hermes ransomware. McAfee agrees that the functionalities between Ryuk and Hermes are “generally equal,” but reported that the Ryuk toolkit is likely an altered version of Hermes 2.1 if the changing of the ransom note is part of the alteration.
McAfee can’t confirm who specifically executed the attack, but they do report that they know how the ransomware works, how the attackers operate, and how to detect the threat.