A recently discovered ransomware group has netted almost $4 million since August, in large part by following a path that’s uncommon in its industry—selectively installing the malicious encryption software on previously infected targets with deep pockets. The method differs from the usual one of indiscriminately infecting all possible victims. That’s the take of two analyses published Thursday, one by security firm CrowdStrike and the other by competitor FireEye.
Both reports say that Ryuk, as the ransomware is known, infects large enterprises days, weeks, or as much as a year after they were initially infected by separate malware, which in most cases is an increasingly powerful trojan known as Trickbot. Smaller organizations infected by Trickbot, by contrast, don’t suffer the follow-on attack by Ryuk. CrowdStrike called the approach “big-game hunting” and said it allowed its operators to generate $3.7 million worth of Bitcoin across 52 transactions since August.
Besides pinpointing targets with the resources to pay hefty ransoms, the modus operan