Understand your needs
Improve our services
Deliver personalised content
Save your preferences
Analyse visitor interactions
Your consent is voluntary – you can always change you cookie settings here.
Ryuk is deadly ransomware that encrypts Microsoft Windows systems and holds companies for Bitcoin ransom. Attacking businesses, hospitals, and governments since 2018, Ryuk and the gang behind it remain a formidable threat.
Apr 09, 2022 · 6 min read
1. A category of malware that locks (encrypts) your files or systems and holds them for ransom.
2. A fictional character in the manga series Death Note. Ryuk drops a “death note” that allows the user to kill anyone simply by knowing their name and face.
A Ryuk ransomware attack has a slow burn, taking several hours to reach maximum impact. Known for its worm-like self-replicating abilities, victims rarely notice the arms and legs of their systems becoming disabled since the heart of the system is the last to be encrypted.
Ryuk ransomware works in the following stages:
(These are very common local ranges of IP addresses.)
3. Encryption: Ryuk will now look for network drives and system locations that can be found in these IP address ranges so that it can encrypt them.
Ryuk encrypts files with the AES256 algorithm of Microsoft’s CryptoAPI and a unique AES key wrapped with an RSA public key stored in the binary code for each file. Frozen files will have “.RYK” on the end of them.
Note: Researchers have noticed that Ryuk will start to encrypt network shares first, so you won’t notice the effects on the host system (the one that is propagating the infection) until everything else is encrypted.
Since the host system is the last to be encrypted, it prevents many investigators from being able to quickly locate and isolate the source of the infection.
The initial infection of Ryuk ransomware is performed through TrickBot, which typically uses spam email to distribute infected code into the victim's machine. These emails are sent from spoofed email addresses to trick victims into opening a weaponized document attached to a phishing email, for instance.
Opening the document causes a malicious macro to execute a PowerShell command that attempts to download a banking trojan like TrickBot. Some trojans have the ability to download additional malware and spyware onto an infected machine.
Attackers can then collect admin credentials, which allows them to move across to critical assets connected to the network. Ryuk is then executed on each of these assets, crippling resources, files, and systems.
Now for the attackers’ big juicy moment: the ransom note. Ryuk attackers always leave a ransom note demanding that hundreds of thousands of dollars be transferred to a specific Bitcoin (BTC) wallet address.
The Ryuk ransom note is usually written to a file named “RyukReadMe.txt.” The body of the note contains the following information:
Based on transactions to known Ryuk BTC addresses, the ransom demand can vary. Researchers have suggested that the ransom amount is calculated on the size and value of the company that it attacks.
In 2019, Ryuk ransom demands were between $130,000 and $450,000 for two Florida cities affecting emergency services and admin systems.
In 2020, Ryuk attacked the Baltimore County Public System and over 250 medical facilities in the US. While both companies haven’t admitted to paying a ransom, they’ve reported that it cost them $10 million and $67 million to recover from the attacks but it’s still unclear if that money was spent paying ransoms.
A new variant of Ryuk ransomware emerged in January 2021, with self-replicating “worm-like” capabilities. Previous versions of Ryuk were not able to move laterally through a network, requiring them to move manually, instead.
A computer worm can spread copies of itself from device to device without human interaction or the need to root itself in a specific program. This means that the new Ryuk variant can move automatically through networks, spreading infection.
Note: This new variant of Ryuk is currently limited to Windows machines.
Hermes ransomware, the predecessor of Ryuk, was first created in February 2017, and it was instantly feared. Just one month after its release, a decrypter was written for Hermes, followed by the release of Hermes version 2.0 in April 2017 and version 2.1 in August 2017.
The only way for a victim to recover files is with the private encryption key, which can only be received by paying an eye-wateringly high ransom.
In mid-August 2018, a modified version of Hermes, coined Ryuk, began to appear in a public malware repository.
Ryuk was built to target large companies, and some modifications even include removing anti-analysis checks. So Ryuk can stop a machine from debugging its systems as well as performing vital checks like seeing if the host is running VirtualBox and ensuring that the host language hasn’t changed to Russian or Belarusian.
The key difference between Hermes and Ryuk is that Ryuk uses a second embedded public RSA key. But they still have a lot in common. They both:
Intelligence suggests that the hacker group WIZARD SPIDER is behind Ryuk ransomware.
WIZARD SPIDER could be operating from Russia, since Hermes was originally advertised on “exploit(.)in.” This Russian-speaking forum is a well-known marketplace for selling malware to criminal gangs.
Also, during a forensic investigation of a network breached by WIZARD SPIDER, artifacts were recovered with filenames in Russian. One of these files was named “!!! files dlya raboty !!!” which translates to “files for work.”
Ryuk ransomware has been causing chaos for over three years. Here are three of the biggest and worst Ryuk attacks that we know of.
When Ryuk attacked Norwegian energy tech firm Volue, 85% of the country’s population suffered the effects. The attack impacted systems infrastructure for Norway’s water and wastewater facilities in over 200 municipalities.
The aftermath of this devastating attack cost the UHS, one of the largest healthcare providers in the US, $67 million to recover from. Patients were forced to go to other emergency rooms, and test results and appointments were delayed.
Hearing that the school had a $1.5 billion budget is probably what allowed WIZARD SPIDER to park any sense of humanity the group might have had. Attacking it a few days before Thanksgiving, all remote school services were disrupted. The downtime apparently cost the school $10 million to recover.
The initial infection often starts with a spam email, so learning to differentiate spam from the real deal is crucial. But we can take many other more technical actions to prevent these nasty Ryuk attacks.
Your network logs may indicate foul play, and since Ryuk attackers begin by encrypting files outside of the main host, you might be able to catch any strange behavior early on.
Always create secure backups of your data on a regular basis. It's best to use cloud storage with high-level encryption and multi-factor-authentication to properly secure your precious resources. You could also back up your data on external hard drives, but make sure they’re physically disconnected from your main devices at work after backing up or else they could become infected too.
It’s crucial to protect on your network because that’s where the Ryuk processes are executed and where the files get encrypted. Some anti-malware/antivirus tools block ransomware from holding files hostage and even offer rollback technology designed to reverse the effects of ransomware.
NordLayer is the first VPN to include Threat protection, when you switch on the app it actively protects you against malware and other threats to your network. You can use it on laptops, tablets, smartphones, and PC's and is especially designed for company-wide use.