A new ransomware strain named Ryuk is making the rounds , and , according to current reports , the group behind it has already made over $ 640,000 worth of Bitcoin . Attacks Attack.Ransom with this ransomware strain were first spotted last Monday , August 13 , according to independent security researcher MalwareHunter , who first tweeted about this new threat . There have been several reports from victims regarding infections with Ryuk in the past week , including one on the Bleeping Computer forums . But despite these reports , security researchers from various companies have not been successful at identifying how this ransomware spreads and infects victims . The common train of thought is that this ransomware spreads via targeted attacks , with the Ryuk crew targeting selected companies one at a time , either via spear-phishing emails or Internet-exposed and poorly secured RDP connections , albeit researchers have not been able to pinpoint the exact entry vector for infections as of yet . `` According to what we can see right now , it seems the attacks are targeted , i.e . a result of some manual compromise , '' Mark Lechtik , a Check Point security researcher , told Bleeping Computer in a private conversation today . `` Reason for this is that the malware needs Admin privileges to run , which it does n't achieve on its own . Something else that executes it had to achieve this privilege , '' he added . `` But no artifact was found to show what spawned the execution of the malware ( i.e . no mail , document , script etc. ) . '' Ryuk shuts down over 180 services on infected hosts But there are also some differences . The main one , spotted by both Check Point and MalwareHunter is that Ryuk comes with a huge list of apps and services it shuts down before infecting a victim 's systems . `` The ransomware will kill more than 40 processes and stop more than 180 services by executing taskkill and net stop on a list of predefined service and process names , '' Check Point researchers explained in a report . The ransom note conundrum Furthermore , Ryuk 's targeted nature is never more obvious than when it comes to its ransom notes . Check Point says it found several Ryuk samples where the ransomware dropped Attack.Ransom different ransom notes on users ' systems . Researchers found a long , more verbose ransom note , and another , blunter and to-the-point ransom demand Attack.Ransom . Both ransom notes asked Attack.Ransom victims to contact the Ryuk authors via email . Coincidentally or not , the ransom fees demanded Attack.Ransom via the longer and more detailed ransom note were higher ( 50 Bitcoin ~ $ 320,000 ) , compared to the shorter ransom note , where crooks asked for Attack.Ransom a smaller amount of money ( 15-35 Bitcoin , ~ $ 224,000 ) . `` There seems to be some adaptation made in the ransom notes , '' Lechtik told Bleeping Computer , suggesting this particular detail adds up to the assumption that Ryuk is deployed after hackers infect networks and not via mass email spam . `` This could imply there may be two levels of offensive , '' Check Point said , suggesting that the Ryuk gang may also deploy different Ryuk samples based on the organization they manage to infect , and their ability to pay higher ransom fees Attack.Ransom . Ryuk not decryptable at the time of writing As for the ransomware 's encryption , this is a classic AES-RSA combo that 's usually undecryptable unless the Ryuk team made mistakes in its implementation . Currently , researchers have not spotted such weakness in Ryuk , as of yet . Similar to most elite ransomware strains , unique Bitcoin payment addresses are created for each victim . Check Point says that money does n't stay too much in these addresses , and they are quickly split and laundered through different accounts . While previous versions of the Hermes ransomware have been an on-and-off threat that surfaces at random intervals with a mass spam campaign , the new Ryuk ransomware strain appears to be a new attempt from the Lazarus Group at developing a SamSam-like strain to use in precise surgical strikes against selected organizations .

Researchers identified over 70 organizations targeted in these attacks , with most located in Ukraine , and especially in the self-declared separatist states of Donetsk and Luhansk , near the Russian border . The target list includes editors of Ukrainian newspapers , a scientific research institute ; a company that designs remote monitoring systems for oil & gas pipeline infrastructures ; an international organization that monitors human rights , counter-terrorism and cyberattacks on critical infrastructure in Ukraine ; and an engineering company that designs electrical substations , gas distribution pipelines , and water supply plants ; among many others . According to CyberX security experts , attacks Attack.Phishing are mostly driven by spear-phishing emails that spread Word documents that contain malicious macros . Attacks Attack.Phishing lure Attack.Phishing victims into allowing the macros in these documents to execute by telling them the document was created in a newer version of Word , and enabling macros allows them to view their content . Enabling macros downloads several malware families in multiple stages . The downloaded malware does n't include destructive features and uses several mechanisms to remain hidden , an important clue pointing to the fact its authors are using it for reconnaissance only . Using Dropbox instead of a custom web server for collecting data Attack.Databreach is yet another sign that hackers are trying to stay hidden as long as possible . This is because it would be much easier to detect malicious traffic sent to a remote web server compared to Dropbox , an application whitelisted by firewalls and other security products . CyberX researchers named this particular campaign BugDrop because crooks used the PC 's microphone 's to bug victims , and Dropbox to exfiltrate Attack.Databreach data . After they analyzed the malware deployed in this campaign , CyberX security experts claim the malware and techniques used in the BugDrop operation are similar to Groundbait , another cyber-espionage campaign discovered in May 2016 by ESET researchers .