McAfee casts doubt on Ryuk ransomware connection to North Korea

McAfee's Advanced Threat Research team argued cybercriminals -- not North Korean hackers -- were behind the recent Ryuk ransomware attack on Tribune Publishing Co.

Some media reports implicated North Korea in that attack because previously published research from Check Point Software Technologies noted strong similarities between Ryuk and another type of ransomware, called Hermes, which has been tied to North Korean state-sponsored hackers known as the Lazarus Group. McAfee researchers, however, cast doubt on the cyber attribution case against North Korea in a report published on Wednesday.

The cyberattack on Tribune Publishing occurred late last month and affected the company's production platform, disrupting and delaying the production of several newspapers. The Los Angeles Times reported the malware that infected Tribune Publishing's systems was Ryuk ransomware, which was first detected last August by Check Point.

While Check Point researchers didn't directly attribute Ryuk ransomware to the Lazarus Group, some media reports implicated North Korea in the Tribune Publishing cyberattack. The issue was further complicated when another company, cloud service provider Data Resolution, blamed a reported cyberattack on Ryuk and North Korea. 

In a report titled "Ryuk Ransomware Attack: Rush to Attribution Misses the Point," John Fokker, head of cyber investigations for McAfee's Advanced Threat Research team, and Christiaan Beek, lead scientist and senior principal engineer at McAfee, argued the evidence points to cybercriminals, rather than North Korea.

"Based on the technical indicators, known cybercriminal characteristics, and evidence discovered on the dark web, our hypothesis is that the Ryuk attacks may not necessarily be backed by a nation-state, but rather share the hallmarks of a cybercrime operation," they wrote.

According to the report, the indicators and evidence include activity on an underground hacker forum in 2017, where a Russian-speaking member offered a malware kit for "Hermes 2.1" ransomware, and another post on the same forum cited Ryuk in October. McAfee's Advanced Threat Research team agreed "the actors behind Ryuk have access to the Hermes source code," and the functionality between the two ransomware variants is "generally equal."

But researchers also said the Ryuk ransomware code evolved from the Hermes kit in recent months, and Ryuk is an altered version of Hermes 2.1.

"The most likely hypothesis in the Ryuk case is that of a cybercrime operation developed from a tool kit offered by a Russian-speaking actor," the report stated. "From the evidence, we see sample similarities over the past several months that indicate a tool kit is being used."

Fokker and Beek were more blunt about their assessment on Twitter. Fokker tweeted that North Korea "is definitely not our suspect" in the Ryuk attacks, while Beek tweeted that attributing Ryuk to North Korea "is a mistake."