{"id":93619,"date":"2019-01-09T11:00:14","date_gmt":"2019-01-09T19:00:14","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=93619"},"modified":"2024-02-19T21:46:01","modified_gmt":"2024-02-20T05:46:01","slug":"ryuk-ransomware-attack-rush-to-attribution-misses-the-point","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/","title":{"rendered":"Ryuk Ransomware Attack: Rush to Attribution Misses the Point"},"content":{"rendered":"<p><em>Senior analyst Ryan Sherstobitoff contributed to this report. <\/em><\/p>\n<p>During the past week, an outbreak of Ryuk ransomware that impeded newspaper printing services in the United States has garnered a lot of attention. To determine who was behind the attack many have cited past research that compares code from Ryuk with the older ransomware Hermes to link the attack to North Korea. Determining attribution was largely based on the fact that the Hermes ransomware has been used in the past by North Korean actors, and code blocks in Ryuk are similar to those in Hermes.<\/p>\n<p>The McAfee Advanced Threat Research team has investigated this incident and determined how the malware works, how the attackers operate, and how to detect it. Based on the technical indicators, known cybercriminal characteristics, and evidence discovered on the dark web, our hypothesis is that the Ryuk attacks may not necessarily be backed by a nation-state, but rather share the hallmarks of a cybercrime operation.<\/p>\n<p><strong>How McAfee approaches attribution<\/strong><\/p>\n<p>Attribution is a critical part of any cybercrime investigation. However, technical evidence is often not enough to positively identify who is behind an attack because it does not provide all the pieces of the puzzle. Artifacts do not all appear at once; a new piece of evidence unearthed years after an attack can shine a different light on an investigation and introduce new challenges to current assumptions.<\/p>\n<p><strong>Ryuk attack: putting the pieces together<\/strong><\/p>\n<p>In October 2017, we investigated an attack on a <a href=\"https:\/\/securingtomorrow.mcafee.com\/other-blogs\/mcafee-labs\/taiwan-bank-heist-role-pseudo-ransomware\/\">Taiwanese bank<\/a>. We discovered the actors used a clever tactic to distract the IT staff: a ransomware outbreak timed for the same moment that the thieves were stealing money. We used the term <em>pseudo-ransomware<\/em> to describe this attack. The malware was Hermes version 2.1.<\/p>\n<p>One of the functions we often see in <a href=\"https:\/\/www.mcafee.com\/enterprise\/en-us\/security-awareness\/ransomware.html\">ransomware<\/a> samples is that they will not execute if the victim\u2019s system language is one of the following:<\/p>\n<ul>\n<li>419 (Russian)<\/li>\n<li>422 (Ukrainian)<\/li>\n<li>423 (Belarusian)<\/li>\n<\/ul>\n<p>That was October 2017. Searching earlier events, we noticed a posting from August 2017 in an underground forum in which a Russian-speaking actor offered the malware kit Hermes 2.1 ransomware:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93621\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-1.png\" alt=\"\" width=\"1142\" height=\"899\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-1.png 1142w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-1-300x236.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-1-768x605.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-1-1024x806.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-1-635x500.png 635w\" sizes=\"auto, (max-width: 1142px) 100vw, 1142px\" \/><\/a><\/p>\n<p>What if the actor who attacked the Taiwanese bank simply bought a copy of Hermes and added it to the campaign to cause the distraction? Why go to the trouble to build something, when the actor can just buy the perfect distraction in an underground forum?<\/p>\n<p>In the same underground forum thread we found a post from October 22, 2018, mentioning Ryuk.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93622\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-2.png\" alt=\"\" width=\"1270\" height=\"474\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-2.png 1270w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-2-300x112.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-2-768x287.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-2-1024x382.png 1024w\" sizes=\"auto, (max-width: 1270px) 100vw, 1270px\" \/><\/a><\/p>\n<p>This post contains a link to an <a href=\"https:\/\/xakep.ru\/2018\/08\/22\/ryuk\/\">article<\/a> in the Russian security magazine <a href=\"https:\/\/xakep.ru\/2018\/08\/22\/ryuk\/\">Xakep.ru<\/a> (\u201cHacker\u201d) discussing the emergence of Ryuk and how it was first discovered by MalwareHunterTeam in August 2018. This first appearance came well before last week\u2019s attack on newspaper printing services.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93623\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-3.png\" alt=\"\" width=\"831\" height=\"607\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-3.png 831w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-3-300x219.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-3-768x561.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-3-685x500.png 685w\" sizes=\"auto, (max-width: 831px) 100vw, 831px\" \/><\/a><\/p>\n<p><strong>Manga connection<\/strong><\/p>\n<p>Ryuk, according to Wikipedia, refers to a Japanese manga character from the series \u201cDeath Note.\u201d Ryuk apparently drops a death note, a fitting name for ransomware that drops ransom notes.<\/p>\n<p>Ransomware is typically named by its cybercriminal developer, as opposed to the naming of state-sponsored malware, which is mostly is done by the security industry. It seems the criminals behind Ryuk are into manga.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93624\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-4.png\" alt=\"\" width=\"681\" height=\"557\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-4.png 681w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-4-300x245.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-4-611x500.png 611w\" sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><\/a><\/p>\n<p>The use of manga character names and references is common in the cybercriminal scene. We often come across manga-inspired nicknames and avatars in underground forums.<\/p>\n<h2><strong>Technical indicators<\/strong><\/h2>\n<p>Looking at research from our industry peers comparing Ryuk and Hermes, we notice that the functionalities are generally equal. We agree that the actors behind Ryuk have access to the Hermes source code.<\/p>\n<p>Let\u2019s dive a bit deeper into Ryuk and compare samples over the last couple of months regarding compilation times and the presence of program database (PDB) paths:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-5.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93625\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-5.png\" alt=\"\" width=\"628\" height=\"273\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-5.png 628w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-5-300x130.png 300w\" sizes=\"auto, (max-width: 628px) 100vw, 628px\" \/><\/a><\/p>\n<p>We can see the PDB paths are almost identical. When we compare samples from August and December 2018 and focus on the checksum values of the executables\u2019 rich headers, they are also identical.<\/p>\n<p>From a call-flow perspective, we notice the similarities and evolution of the code:<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-6.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93627\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-6.png\" alt=\"\" width=\"1377\" height=\"605\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-6.png 1377w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-6-300x132.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-6-768x337.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-6-1024x450.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-6-1138x500.png 1138w\" sizes=\"auto, (max-width: 1377px) 100vw, 1377px\" \/><\/a><\/p>\n<p><em>The Hermes 2.1 ransomware kit, renamed and redistributed as Ryuk.<\/em><\/p>\n<p>The author and seller of Hermes 2.1 emphasizes that he is selling is a kit and not a service. This suggests that a buyer of the kit must do some fine tuning by setting up a distribution method (spam, exploit kit, or RDP, for example) and infrastructure to make Hermes work effectively. If changing a name and ransom note are part of these tuning options, then it is likely that Ryuk is an altered version Hermes 2.1.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-7.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-93628\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-7.png\" alt=\"\" width=\"1065\" height=\"465\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-7.png 1065w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-7-300x131.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-7-768x335.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/20190107-Ryuk-7-1024x447.png 1024w\" sizes=\"auto, (max-width: 1065px) 100vw, 1065px\" \/><\/a><\/p>\n<h2><strong>Attribution: analyzing competing hypotheses<\/strong><\/h2>\n<p>In the race to determine who is behind an attack, research facts (the What and How questions) are often put aside to focus on attribution (the Who question). Who did it? This pursuit is understandable yet fundamentally flawed. Attribution is crucial, but there will always be unanswered questions. Our approach focuses on answering the What and How questions by analyzing the malware, the infrastructure involved, and the incident response performed at the victim\u2019s site.<\/p>\n<p>Our approach is always to analyze competing hypotheses. When investigating an incident, we form several views and compare all the artifacts to support these hypotheses. We try not only to seek verifying evidence but also actively try to find evidence that falsifies a hypothesis. Keeping our eyes open for falsifying facts and constantly questioning our results are essential steps to avoid conformation bias. By following this method, we find the strongest hypothesis is not the one with the most verifying evidence, but the one with the least falsifying evidence.<\/p>\n<p>Examining competing hypotheses is a scientific approach to investigating cyber incidents. It may not help with the race to attribution, but it ensures the output is based on available evidence.<\/p>\n<p>The most <em>likely<\/em> hypothesis in the Ryuk case is that of a cybercrime operation developed from a tool kit offered by a Russian-speaking actor. From the evidence, we see sample similarities over the past several months that indicate a tool kit is being used. The actors have targeted several sectors and have asked a high ransom, 500 Bitcoin. Who is responsible? We do not know. But we do know how the malware works, how the attackers operate, and how to detect the threat. That analysis is essential because it allows us to serve our customers.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Senior analyst Ryan Sherstobitoff contributed to this report. During the past week, an outbreak of Ryuk ransomware that impeded newspaper&#8230;<\/p>\n","protected":false},"author":1008,"featured_media":93648,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[5526,4452,180,4549],"coauthors":[5403,3576],"class_list":["post-93619","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs","tag-advanced-threat-research","tag-cybersecurity","tag-malware","tag-ransomware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Ryuk Ransomware Attack: Rush to Attribution Misses the Point | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Senior analyst Ryan Sherstobitoff contributed to this report. During the past week, an outbreak of Ryuk ransomware that impeded newspaper printing\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ryuk Ransomware Attack: Rush to Attribution Misses the Point | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Senior analyst Ryan Sherstobitoff contributed to this report. During the past week, an outbreak of Ryuk ransomware that impeded newspaper printing\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2019-01-09T19:00:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-02-20T05:46:01+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2048\" \/>\n\t<meta property=\"og:image:height\" content=\"1152\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"John Fokker, Christiaan Beek\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@john_fokker\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"John Fokker, Christiaan Beek\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/\"},\"author\":{\"name\":\"John Fokker\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/d4dadad7c176dd7a73390cfce3ce5e41\"},\"headline\":\"Ryuk Ransomware Attack: Rush to Attribution Misses the Point\",\"datePublished\":\"2019-01-09T19:00:14+00:00\",\"dateModified\":\"2024-02-20T05:46:01+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/\"},\"wordCount\":1032,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration.jpg\",\"keywords\":[\"Advanced Threat Research\",\"cybersecurity\",\"malware\",\"ransomware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/\",\"name\":\"Ryuk Ransomware Attack: Rush to Attribution Misses the Point | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration.jpg\",\"datePublished\":\"2019-01-09T19:00:14+00:00\",\"dateModified\":\"2024-02-20T05:46:01+00:00\",\"description\":\"Senior analyst Ryan Sherstobitoff contributed to this report. During the past week, an outbreak of Ryuk ransomware that impeded newspaper printing\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration.jpg\",\"width\":2048,\"height\":1152},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Ryuk Ransomware Attack: Rush to Attribution Misses the Point\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/d4dadad7c176dd7a73390cfce3ce5e41\",\"name\":\"John Fokker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/8205fa3ae2b891a459426ee038d61bd4\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/04\/Screen-Shot-2019-01-31-at-11.50.11-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/04\/Screen-Shot-2019-01-31-at-11.50.11-96x96.png\",\"caption\":\"John Fokker\"},\"description\":\"John Fokker is a Principal Engineer and Head of Cyber Investigations for the Advanced Threat Research. Prior to joining the team, he worked at the National High Tech Crime Unit (NHTCU), the Dutch national police unit dedicated to investigating advanced forms of cybercrime. Within NHTCU he led the data science group, which focused on threat intelligence research. During his career he has supervised numerous large-scale cybercrime investigations and takedowns. Fokker is also one of the cofounders of the NoMoreRansom Project. He started his career with the Netherlands Police Agency as a digital forensics investigator within a task force against organized crime. Before joining the national police, he served in the special operations and counterterrorism group of the Royal Netherlands Marine Corps.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/john-fokker-95b614107\/\",\"https:\/\/x.com\/john_fokker\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/john-fokker\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Ryuk Ransomware Attack: Rush to Attribution Misses the Point | McAfee Blog","description":"Senior analyst Ryan Sherstobitoff contributed to this report. During the past week, an outbreak of Ryuk ransomware that impeded newspaper printing","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Ryuk Ransomware Attack: Rush to Attribution Misses the Point | McAfee Blog","og_description":"Senior analyst Ryan Sherstobitoff contributed to this report. During the past week, an outbreak of Ryuk ransomware that impeded newspaper printing","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2019-01-09T19:00:14+00:00","article_modified_time":"2024-02-20T05:46:01+00:00","og_image":[{"width":2048,"height":1152,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration.jpg","type":"image\/jpeg"}],"author":"John Fokker, Christiaan Beek","twitter_card":"summary_large_image","twitter_creator":"@john_fokker","twitter_site":"@McAfee","twitter_misc":{"Written by":"John Fokker, Christiaan Beek","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/"},"author":{"name":"John Fokker","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/d4dadad7c176dd7a73390cfce3ce5e41"},"headline":"Ryuk Ransomware Attack: Rush to Attribution Misses the Point","datePublished":"2019-01-09T19:00:14+00:00","dateModified":"2024-02-20T05:46:01+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/"},"wordCount":1032,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration.jpg","keywords":["Advanced Threat Research","cybersecurity","malware","ransomware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/","name":"Ryuk Ransomware Attack: Rush to Attribution Misses the Point | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration.jpg","datePublished":"2019-01-09T19:00:14+00:00","dateModified":"2024-02-20T05:46:01+00:00","description":"Senior analyst Ryan Sherstobitoff contributed to this report. During the past week, an outbreak of Ryuk ransomware that impeded newspaper printing","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/01\/Network-of-internet-of-things-attacked-by-a-hacker-on-one-node-3D-illustration.jpg","width":2048,"height":1152},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ryuk-ransomware-attack-rush-to-attribution-misses-the-point\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Ryuk Ransomware Attack: Rush to Attribution Misses the Point"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/d4dadad7c176dd7a73390cfce3ce5e41","name":"John Fokker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/8205fa3ae2b891a459426ee038d61bd4","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/04\/Screen-Shot-2019-01-31-at-11.50.11-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/04\/Screen-Shot-2019-01-31-at-11.50.11-96x96.png","caption":"John Fokker"},"description":"John Fokker is a Principal Engineer and Head of Cyber Investigations for the Advanced Threat Research. Prior to joining the team, he worked at the National High Tech Crime Unit (NHTCU), the Dutch national police unit dedicated to investigating advanced forms of cybercrime. Within NHTCU he led the data science group, which focused on threat intelligence research. During his career he has supervised numerous large-scale cybercrime investigations and takedowns. Fokker is also one of the cofounders of the NoMoreRansom Project. He started his career with the Netherlands Police Agency as a digital forensics investigator within a task force against organized crime. Before joining the national police, he served in the special operations and counterterrorism group of the Royal Netherlands Marine Corps.","sameAs":["https:\/\/www.linkedin.com\/in\/john-fokker-95b614107\/","https:\/\/x.com\/john_fokker"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/john-fokker\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/93619","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/1008"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=93619"}],"version-history":[{"count":1,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/93619\/revisions"}],"predecessor-version":[{"id":183163,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/93619\/revisions\/183163"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/93648"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=93619"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=93619"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=93619"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=93619"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}