Written by Sean Lyngaas

A criminal hacking group suspected of operating out of Russia has shifted tactics in recent months from wire fraud to targeting big organizations for ransomware payouts, according to new research.

The change in tactics is exemplified by the infamous Ryuk ransomware, which cybersecurity company CrowdStrike said Thursday is being used by a subset of the Russian group to rake in $3.7 million since August.

The trend in extorting bigger organizations “has been increasing in the last year and poses a significant challenge to enterprises and businesses,” Adam Meyers, vice president of intelligence at CrowdStrike, told CyberScoop. “We have observed numerous adversaries adopting this tactic and charging substantial fees to unlock data across the entire network.”

Ryuk has surfaced in a number of cyber incidents in recent months. A North Carolina water utility said it was hit by the ransomware in October. Last month, Ryuk was reportedly used in an attack that prevented multiple U.S. newspapers from delivering printed editions on time.

Ryuk was derived from the source code of the Hermes ransomware, which has been used in attacks on the SWIFT banking transfer system. But whereas Hermes is a “commodity” ransomware sold on underground forums and used by multiple groups, Ryuk is only employed by a cell of a larger criminal enterprise CrowdStrike refers to as Wizard Spider.

The cell, which CrowdStrike calls Grim Spider, is likely based in Russia, researchers said. In one case involving Ryuk, hackers uploaded files related to the incident investigation to a file-scanning website from an IP address in Moscow. The group was likely testing whether antivirus tools could detect its malware, CrowdStrike said.

“Ryuk is under constant development,” CrowdStrike researcher Alexander Hanel wrote in a blog post. “In recent months, Ryuk binaries have continued to deviate further and further from the original Hermes source code, with the threat actors adding and removing functionality often.”

The commands Ryuk uses to prevent recovery of locked files are “more extensive than most ransomware families” and evince “a thorough understanding of enterprise backup software,” Hanel wrote.

The research highlights how effective both Ryuk and the TrickBot trojan have been in slicing through target networks, giving Grim Spider the access it needs to extort victims. Sunnyvale, Calif.-based CrowdStrike said it has responded to multiple infections of Ryuk at organizations in which the TrickBot, which has targeted online bank accounts, was also present on the victim network.

CrowdStrike researchers also analyzed the Ryuk ransom note, showing how it is “remarkably similar” to the note used by BitPaymer, another ransomware. It is unclear if Ryuk’s operators are copying BitPaymer’s ransom notes or if the groups are sharing tactics, CrowdStrike said.

The research is a reminder of the plethora of cybercrime emanating from Russia. A report published last year by McAfee and the Center for Strategic and International Studies said Russia “leads overall in cybercrime, reflecting the skill of its hacker community and its disdain for western law enforcement.”