The Los Angeles Times (LA Times) reported that ransomware named after the character Ryuk in the popular manga “Death Note” caused the attack to Tribune Publishing operations that disrupted the distribution of major newspapers across the United States.
Ryuk is a shinigami or god of death in “Death Note.”
Having believed that the attack originated from outside the US, the Department of Homeland Security has stepped in and launched an investigation. Ryuk is not new ransomware but something the US government has been tracking and even released an advisory in August warning that Ryuk attacks were “highly targeted, well-resourced and planned.”
According to the LA Times, it detected the attack when sports editors had a difficulty sending the digital pages to the printers on Thursday. By Friday, it has already spread in the system that affected the distribution of The Times and Union-Tribune, as well as papers in Chicago, Connecticut, and Florida, and the West Coast editions of the Wall Street Journal and New York Times, which are printed in downtown Los Angeles.
The Security Week reported that security firms Check Point and Sophos has been analyzing Ryuk the past months and specifically noted that “the ransomware has been used in targeted attacks.”
MalwareHunterTeam had reported five initial victims of Ryuk when it surfaced and detected in August. In Check Point’s report, the attackers have collected over $640,000. The firm also noted it shares a similar code to Hermes, a hacking group linked to North Korea and is believed to be behind the massive WannaCry attack.
The LA Times quoted Ben Herzog, a security researcher at Check Point as saying that many of the ransomware attacks target a large number of victims “with infected links or attachments” then ask for money to unlock computers or retrieve important data. However, it was not clear how much money was at stake and the Ryuk attackers hoped to collect with the recent attack.
Check Point also said that based on its analysis, “it did not find that Ryuk had a method for automatically spreading among a network, which might indicate “prior, manual work that was done by the attackers in order to take these networks as a hostage.”