Skip to main content
Howard Solomon
Published: October 10th, 2018

A new strain of ransomware first reported in August is now being seen in Canada, hitting at least four organizations here.

“I’m starting to see a certain type of ransomware called Ryuk targeting healthcare organizations,”  Canadian cyber security lawyer Imrad Ahmad told IT World Canada on Tuesday. “Typically ransomware locks up your system. This one actually exfiltrates data” as well.

Ahmad, a partner and national leader of the cybersecurity law practice at Miller Thomson LLP said his practice knows of four organizations in the past month alone that were hit. He wouldn’t say how many of the organizations had lost data.

Typically the ransom demanded was around 40 to 50 Bitcoin, he said, which at current value is roughly $34,000 to $42,00.

How each were infected isn’t clear yet,

In August the U.S. Department of Health and Human Services and Check Point Software issued alerts on this particular strain of ransomware.

The way attacks have been executed suggest the people behind it have researched their targets well, probably infiltrating networks before launching the ransomware, because they know where valuable data is. Check Point in the incidents it has seen Ryuk is only used in targeted attacks.

To maintain persistence Ryuk writes itself to the Windows Run registry key. The ransomware will kill more than 40 processes and stop more than 180 services from a list of predefined service and process names. Most belong to antivirus, database, backup and document editing software.

There are similarities between Ryuk and ransomware dubbed Hermes, seen first in the fall of 2017, by some researchers. That led Check Point to believe those behind Ryuk are either the same operators of the Hermes strain, or someone has got access to the Hermes source code. It then adds injected code for file encryption.

Protection tip

According to Check Point, it’s important to note that the malware will attempt to write a dummy file to the Windows directory, which would only be allowed with Admin privileges. This file will write two more files to a subfolder in the Windows directory, one of which contains an RSA Public key for encryption, and the second contains a hardcoded key. But if the creation of the first dummy file fails, the malware will sleep for a while and attempt the same another five times. If failure persists beyond these attempts, Ryuk will simply terminate.

This is important because one of the ways to stop Ryuk is to make sure people with Windows administration privileges have to log in with complex passwords requiring multi-factor authentication.

Check Point said the Hermes strain is “commonly attributed” to the North Korean threat actors dubbed the Lazarus Group,