Shinigami's revenge: the long tail of Ryuk malware

Thursday 3 October 09:00 - 09:30, Red room

Gabriela Nicolao (Deloitte)
Luciano Martins (Deloitte)



Ryuk is a piece of ransomware that was first observed in August 2018 and has been in the news since then. Among its victims, companies from different industries such as famous newspapers, restaurants, public institutions and a cloud service provider have been reported. Ryuk has been observed along with Emotet and Trickbot, two of the most widely spread threats that are currently being used in malware campaigns. What makes Ryuk interesting is the fact that is being used in targeted campaigns, dropped days or weeks after a victim was first compromised, and its ties with threat actor groups. At first, security researchers believed the Ryuk ransomware was tied to North Korean actors because its code was similar to Hermes, another ransomware that was used by infamous threat actor Lazarus. Four months later, that theory was discarded, and it was attributed to Russian-speaking actors dubbed Grim Spider. This paper will review Ruyk's technical aspect since its appearance, and how it has evolved through the year.

 

 Related links

 

Gabriela-Nicolao-web.jpg

Gabriela Nicolao

Gabriela has a degree in information systems engineering from the Universidad Tecnológica Nacional (UTN) and a postgraduate degree in cryptography and teleinformatics security specialization from Escuela Superior Técnica of Facultad del Ejercito in Argentina. She works at Deloitte in the cyber threat intelligence area. Her tasks include malware analysis, network traffic analysis, incident response and indicators of compromise (IoC) hunting. She has five years of experience in the security field. She is also a teacher at UTN.

@rove4ever

 

Luciano-Martins-web.jpg

Luciano Martins

Luciano Martins is Director of Cyber Threat Intelligence at Deloitte Argentina and founder of the Vulnerability Assessment area, where he has been working for more than 15 years doing black box testing, ethical hacking, malware analysis, traffic analysis, incident response, digital forensic analysis, IOC, IOA, APT hunting, and more. He has strong skills in reverse engineering and application development. Luciano has about 20 years of experience in the field of security. Before joining Deloitte, he founded the USSR LABS company in Argentina, which he led for five years.

@clucianomartins


   Download slides    Read paper    Watch video

Back to VB2019 Programme page

Other VB2019 papers

Targeted attacks through ISPs

Denis Legezo (Kaspersky Lab)

Oops! It happened again!

Righard Zwienenberg (ESET)
Eddy Willems (G DATA)

Spoofing in the reeds with Rietspoof

Jan Sirmer (Avast Software)
Luigino Camastra (Avast software)
Adolf Středa (Avast software)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.