VI. History of Ryuk
As noted earlier, some so-called security experts have claimed that Ryuk is a new kind of Ransomware that was first noticed in August 2018. These same experts claim that Ryuk was created by North Korean or Russian hackers. What these experts ignore is the capability of an NSA tool called Marble Framework to hide the real original source of malware. Thanks to the Wikileaks release of the NSA Marble Framework in March 2017, we know that for a long time prior to 2017, the NSA was producing cyber weapons using Russian, Chinese and several other languages to hide the fact that the tools were written by the NSA.
There are many indications that Ryuk does not come from some foreign country. One of the biggest is that Ryuk has a valid signed certificate of trust called a Thawte Certificate. These Signed Certificates are generally not issued to Russian or North Korean hackers. The certificate was issued to WMV CONSULTING LTD which is registered in the United Kingdom but appears to be a front for some other organization. Still, it is difficult to believe that either Russia or North Korea would register their hacking group in Great Britain. Instead, Ryuk seems to be mimicking NSA viruses like Stuxnet and Flame both of which used Microsoft signed certificates to evade detection. What was interesting about the Microsoft Certificates is that instead of being valid for the normal two years, the certificates Microsoft issued to the NSA for their Cyber Weapons was valid for six years. This is not only extremely unusual, it is one of several pieces of hard evidence indicating that Microsoft was cooperating directly and actively in assisting the NSA in the development of their cyber weapons.
To find the real source of cyber weapons, all one needs to do is follow the money. The NSA has a budget that is at least 100 times larger than all of the other hacking groups in the world combined. Thus, the odds of any malware or complex cyber weapon coming from the NSA rather than North Korea, Russia, China or Iran are on the order of 100 to 1.
In addition to following the money, we can follow the IP addresses of the hackers Command and Control servers. Hundreds of these IP addresses have been published by researchers analyzing Trickbot, Ryuk and other cyber weapons.
Most of these Command and Control servers are located here in the USA. The location of these IP addresses is significant because, thanks to the USA Patriot Act, all servers in the US are subject to search by the FBI. US servers would therefore be the last place that Russian, Chinese, Iranian or North Korean hackers would use for Command and Control servers. Remember this the next time someone tells you that the Russians and/or Koreans are the source of Ryuk Ransomware.
As just one example of how far the NSA is willing to go to maintain this deception about Korean hackers invading our computers, on June 8 2018, the NSA actually filed charges against a North Korean for being the mastermind behind the WannaCry Cyber attacks. The complaint filed in a federal court in Los Angeles CA was 176 pages long and includes lots the IP addresses of lots of servers used by the hacker. While some of these servers may in fact have been in North Korea, most of the IP addresses were in the United States. If you were a North Korean hacker would you really be using US servers?
In addition, the complaint claimed that this hacker was able to rob millions of dollars from several banks. Yet these same hackers were not able to hack the networks of local US movie theaters. To be clear, I am not claiming that North Koreans and Russians do not engage in hacking. What I am claiming is that neither of them would be using US servers. I am also certain that international banks have more secure computer networks than your local movie theater.
Finally, in recent months we have learned that Ryuk is typically downloaded AFTER the victim’s computer network has been infected by Trickbot. Trickbot in turn can take several months to take over a computer network. In fact, since Trickbot is also used to infect the backup files of a computer network, it is possible that the Ryuk attacks first seen in August 2018 actually began some time in 2017 shortly after the NSA hacking tools were released into the wild.
The NSA simply does not want the US public to know that they originally created nearly all cyber weapons being used in the world today. So they make up stories about North Korean, Russian, Chinese and Iranian hackers to mislead the public. This is also why they use the Marble Framework to include Russian language words in their malware. The NSA also releases stories about “new” types of ransomware with new names like Ryuk and Trickbot to make it seem like there are new cyber warfare threats each year. In fact, it would be more accurate to describe Ryuk, Trickbot, WannaCry and NotPetya ransomware as an evolution of the Stuxnet and Flame cyber weapons that were first unleashed by the NSA way back in 2007.
To make matters worse, reports indicate that Ryuk Ransomware has a low data recovery-success rate after a ransom payment is made. Relative to other types of ransomware, the decryption tool is very labor intensive and prone to failure.