The criminals behind Ryuk, a form of ransomware that’s tormented state and local governments, among many other victims, may have earned more than $150 million since they first appeared in 2018, according to a report this week from two cybersecurity companies.
The authors of the report, published by threat intelligence firm Advanced Intel and Canadian security vendor HYAS, made their estimate by tracking payments made to 61 Bitcoin wallets that have been attributed to Ryuk attacks. Researchers got a picture of Ryuk’s financial activities by looking at deposits and withdrawals made primarily through a pair of Asian cryptocurrency exchanges, Huobi and Binance, that are subject to questionable legal oversight.
Other research has linked Ryuk to a hacking group based in Russia, but the use of Huobi and Binance is not unusual, as both are favored for criminal activity. While both were founded in China, the exchanges have expanded their operations into other countries with more lenient cryptocurrency regulations.
“A legal authority can request identity details for the individuals receiving the payments,” the report reads. “We would not expect successful criminal enterprises like Ryuk to make use of a US-based exchange although we have observed other ransomware operators taking this approach.”
Ryuk has been one of the most pernicious and aggressive forms of ransomware to strike at state and local government across the United States, and has claimed several six-digit payments from its victims. According to StateScoop’s Ransomware Attacks Map, at least 32 government entities have been targeted by the Ryuk malware since 2018.
The list of communities that paid up include Jackson County, Georgia, which paid a $400,000 ransom; Riviera Beach, Florida, which paid $594,000; and LaPorte County, Indiana, which paid $130,000. Ryuk was also named in incidents in late 2019 that targeted Louisiana state agencies and the City of New Orleans, neither of which paid.
Ryuk actors’ previous success in getting local governments to pay up may have motivated them to seek even larger sums: In July 2019, they attempted to extort the city of New Bedford, Massachusetts, for $5.3 million, which officials refused.
More recently, Ryuk — which is often installed on victims’ systems by the banking trojans Trickbot and Emotet, which are delivered via phishing emails — has been seen in a wave of attacks targeting U.S. hospitals and health systems, with the FBI and departments of Homeland Security and Health and Human Services issuing guidance.
The version of the report released by Advanced Intel and HYAS is redacted, though the companies said they will share a more detailed version with law enforcement agencies, security operations centers and fellow researchers.