The malicious code, called Ryuk, goes after “logistics companies, technology companies and small municipalities” with high data value, asking for bounties more than $5 million in bitcoin, the Federal Bureau of Investigation (FBI) said.
In January, Ryuk was alleged to be behind the breach of Tribune Publishing, disturbing all of the media’s affiliate networks. In June, officials from Lake City, Florida gave a $460,000 ransom after the city’s computer systems went dark. This happened two weeks after the $600,000 hijacking of Riviera Beach, Florida.
Ryuk is perceived to be an improved version of the Hermes virus, which was discovered in August last year. It passes through the typical botnet and spam processes and intrudes via unguarded IP ports.
The pernicious malware, once installed, deletes all files associated to the invasion, and stops antivirus systems, therefore obscuring the infection vector. FBI agents, however, found evidence in one case that Ryuk infiltrated via a Remote Desktop Protocols brute force attack.
“After the attacker has gained access to the victim network, additional network exploitation tools may be downloaded… once executed, Ryuk establishes persistence in the registry, injects into running processes, looks for network connected file systems, and begins encrypting files,” FBI wrote in a Flash.
The virus also leaves a “RyukReadMe” file that contains the blackmail letter on the victim’s internet browser. The HTML webpage includes two hacker’s email addresses, the name of the virus, and the mysterious phrase “balance of shadow universe.”
The FBI has been monitoring the virus since last year and has spotted several modifications. The Chinese variant purportedly runs a 32-bit and 64-bit blackmail module simultaneously, which may allow further modification of the bug.
At the time of writing, the number of Chinese enterprises that have been infected has not been disclosed.