Inside Ryuk Crime (Crypto) Ledger & Asian Crypto Traders

The following article is co-authored by threat intelligence researchers from HYAS and Advanced Intelligence and cross-posted to both websites..

Much has been written about the many families of ransomware over the past several years. Some of these ransomware families are operated by successful and disciplined criminal enterprises that function like any technology-focused business with developers, testers, and recruiters. The Ryuk family of ransomware has been particularly successful in economic terms as well as having a disruptive impact on many industries around the world. This article outlines some of the financial findings related to the group that might be useful for a broad audience.

It should come as no surprise that ransomware operators demand payment in Bitcoin. Bitcoin is a logical choice for a variety of reasons including the ability to remit payments without supervision or oversight of government authorities. Although the bitcoin blockchain is a public ledger that anyone can review, the addresses associated with payments aren’t necessarily known unless the individual using them is revealed somehow through a legal request or because the user intentionally associated their identity with one of their Bitcoin addresses. Disciplined criminal enterprises such as Ryuk know that handling millions of dollars in bitcoin ransom payments will attract the attention of security researchers and law enforcement. At some point, the Bitcoin will be converted to a fiat currency so that it can be used in the criminals’ local economy. The process of “cashing out” from crypto currency to fiat currency is what interests researchers because it represents the primary opportunity to identify the criminals by serving a legal process to a compliant exchange. Although there are alternatives to Bitcoin that offer better anonymity such as Monero, such alternatives have not enjoyed broad adoption among criminal organizations.

Our research involved tracing payments involving 61 deposit addresses attributed to Ryuk ransomware. The Ryuk criminals send a majority of their Bitcoin to exchanges through an intermediary to cash out. The two primary (known) exchanges are Huobi and Binance, both of which are located in Asia. Huobi and Binance are interesting choices because they claim to comply with international financial laws and are willing to participate in legal requests but are also structured in a way that probably wouldn’t obligate them to comply. In addition, both Huobi and Binance are companies that were founded by Chinese nationals but moved their business to other countries that are more friendly to cryptocurrency exchanges. Both exchanges require identity documents in order to exchange cryptocurrencies for fiat or to make transfers to banks, however it isn’t clear if the documents they accept are scrutinized in any meaningful way. A legal authority can request identity details for the individuals receiving the payments. We would not expect successful criminal enterprises like Ryuk to make use of a US-based exchange although we have observed other ransomware operators taking this approach.

In addition to Huobi and Binance, which are large and well-established exchanges, there are significant flows of crypto currency to a collection of addresses that are too small to be an established exchange and probably represent a crime service that exchanges the cryptocurrency for local currency or another digital currency. Significant volumes of bitcoin move from the laundering service to Binance, Huobi, and crime markets that we have identified through traced payments.

Ryuk receives a significant amount of their ransom payments from a well-known broker that makes payments on behalf of the ransomware victims. These payments sometimes amount to millions of dollars and typically run in the hundreds of thousands range. After tracing bitcoin transactions for the known addresses attributable to Ryuk, the authors estimate that the criminal enterprise may be worth more than $150,000,000.

Ryuk operators prepare two unique Protonmail addresses for each victim and use them to communicate. Ryuk doesn’t currently use a web-based chat like many other ransomware operations do. With the limited visibility available to analysts, it is painfully clear that the criminals behind Ryuk are very business-like and have zero sympathy for the status, purpose, or ability of the victims to pay. Sometimes the victims will attempt to negotiate with Ryuk and their significant offers are denied with a one-word response. Ryuk did not respond or acknowledge one organization that claimed to be involved in poverty relief and lacked the means to pay.

The precursor malware families that generally lead to Ryuk are used to create a score for the victim so that the operators will know how lucrative a target might be. For example, the number of domain trusts is one significant indicator that is collected automatically by precursor malware that is observed prior to a Ryuk incident. This score is then used to identify victim networks that would be the most likely to pay a large ransom.

Something that becomes glaringly apparent in analyzing ransomware incidents is that the current industry and government-accepted approaches and frameworks for dealing with malware problems aren’t effective. Enterprises that suffer from ransomware aren’t infected because they lack up to date antivirus software or because they chose the blue vendor instead of the red vendor. They’re encountering ransomware because they haven’t considered developing countermeasures that will prevent the initial foothold that is obtained by precursor malware like Emotet, Zloader, and Qakbot (to name a few). What follows are a couple of approaches to counter the initial foothold: 

  • Restrict execution of Microsoft Office macros to prevent malicious macros from running in their environment.
  • Make sure that all remote access points are up to date and require two factor authentication (2FA). 
  • The use of remote access tools such as Citrix and Microsoft RDP should be considered especially risky and the exposure should be limited to a specific list of IP addresses when required.

Researchers, law enforcement agencies, and security operations centers can contact the authors for more detailed observables related to Ryuk, related cryptocurrency transactions, and the precursor malware families.

Brian Carter is the Principal Researcher at HYAS where he helps counter fraud, develop assessments, and map adversary infrastructure. HYAS provides the industry’s first security solution that integrates into existing security frameworks and enables enterprises to detect and mitigate cyber risks before attacks happen and identify the adversaries behind them. 

Vitali Kremez is CEO and Chairman of Advanced Intelligence LLC. Vitali specializes in researching and investigating complex cyberattacks, network intrusions, and data breaches. Over his government and private sector career, Kremez has made numerous groundbreaking findings into Eastern Europe’s cybercrime underworld and has earned virtually every major certification available in the fields of IT, security, and digital forensics. Advanced Intelligence is an elite threat prevention firm. We provide our customers with tailored support and access to the proprietary industry-leading “Andariel” Platform to achieve unmatched visibility into botnet breaches, underground and DarkWeb economy and mitigate any existing or emerging threats.