Stop the Presses: Ryuk Holds LA Times for Ransom
A recent malware attack disrupted nationwide distribution of major newspapers affiliated with Tribune Publishing. The attack delayed distribution not only of the LA Times and the San Diego Union Tribune, but also interrupted distribution of The Wall Street Journal and New York Times on the West Coast, since they share a printing press with the LA Times.
The malware was identified as Ryuk, a piece of ransomware code named after the god of death in the popular Japanese manga Death Note and Ryuk tries to live up to its namesake. Unlike most Ransomware, Ryuk is used exclusively for targeted attacks. Once it infects an organization’s network, it spreads rapidly from computer to computer, encrypting important files behind unbreakable code.
Anyone who tries to access the encrypted data gets a ransom note from the attacker demanding bitcoin in exchange for freeing the data. If the organization refuses to pay, then Ryuk promises to keep the important files locked up forever. The goal of Ryuk ransomware isn’t to steal information, but to shut the victim down.
CyberArk Labs has been aware of Ryuk since it was identified by our compatriots at Check Point Research as a part of the HERMES family of ransomware. As part of its ongoing malware research, CyberArk Labs has thoroughly tested variations of Ryuk to understand it behavior and support the evolution of CyberArk solutions to preventing this ransomware from encrypting files.
Tribune Publishing first noticed it had a problem when sports editors at the San Diego Union Tribune attempted to send digital files to the plate making facility. Digital files containing anything that was meant for publication would not transmit to the plate making process. The editors were locked out of the system and unable to go to press as usual. Newspapers pride themselves on their timeliness, but with Ryuk malware in the way, the presses were running late. According to the LA Times, between 80 and 85 percent of San Diego Union-Tribune’s Saturday paper didn’t reach subscribers the weekend after the attack.
Once programmers at Tribune Publishing and the LA Times identified that they were dealing with an attack, they started working to isolate the malware code. But, they ran into additional problems with every new file they tried to access. Eventually, the programmers were able to start making progress toward containing Ryuk and bringing the Tribune Publishing servers back online. Unfortunately, the security patches didn’t hold and Ryuk re-infected the network.
It’s extremely important to keep Ryuk from ever gaining a foothold in your network. The best way to do that is to lockdown the endpoints, containing the attack early in its lifecycle. This can be done by enforcing least privilege on endpoints and using credential theft protection to actively shield against malware. According to Check Point Research, Ryuk needs admin credentials in order to inject its code and begin file encryption. One of the main functions of privilege management is to restrict access to credentials, making it much more difficult for malware like Ryuk to gain access to the kind of account it needs. Check Point Research added that before Ryuk is deployed, the attackers behind it need to collect extensive credentials from the system they intend to infect. Credential theft protection keeps these credentials out of attackers’ hands.
For more research on the connection between malware and credential theft, check out the CyberArk Threat Research blog from the CyberArk Labs team.