What is Ryuk ransomware? And who’s behind it?

What is Ryuk ransomware?

Ransomware

1. A category of malware that locks (encrypts) your files or systems and holds them for ransom.

Ryuk

[Ry-yookay]

2. A fictional character in the manga series Death Note. Ryuk drops a “death note” that allows the user to kill anyone simply by knowing their name and face.

• Ryuk ransomware infects a system with malware which then encrypts essential files – crippling the company.
• Once the files or systems have been locked, the attackers leave a ransom note or send a follow-up email explaining the amount of Bitcoin to be paid to unfreeze systems and files.
• A typical Ryuk ransom demand can amount to a few hundred thousand dollars. In January 2019 (just five months after its creation), the gang operating Ryuk is estimated to have netted over 705.8- BTC across 52 transactions for a total value of $3,701,893.98 USD.
• In 2021, researchers estimated that the Ryuk ransomware criminal gang was worth over $150,000,000.

Technical details

How does a Ryuk ransomware attack work?

A Ryuk ransomware attack has a slow burn, taking several hours to reach maximum impact. Known for its worm-like self-replicating abilities, victims rarely notice the arms and legs of their systems becoming disabled since the heart of the system is the last to be encrypted.

Ryuk ransomware works in the following stages:

1. Infection: The initial infection happens when Ryuk malware finds its way into a network. Ryuk malware is spread through many different methods, including Emotet (recently shut down by enforcement agencies), TrickBot, and ZLoader.
2. IP scanning: Ryuk then looks for network shares on the victim’s IT infrastructure. To do so, some IP ranges are scanned:

• 10.0.0.0/8
• 172.16.0.0/16
• 192.168.0.0/16

(These are very common local ranges of IP addresses.)

3. Encryption: Ryuk will now look for network drives and system locations that can be found in these IP address ranges so that it can encrypt them.

Ryuk encrypts files with the AES256 algorithm of Microsoft’s CryptoAPI and a unique AES key wrapped with an RSA public key stored in the binary code for each file. Frozen files will have “.RYK” on the end of them.

Note: Researchers have noticed that Ryuk will start to encrypt network shares first, so you won’t notice the effects on the host system (the one that is propagating the infection) until everything else is encrypted.

Since the host system is the last to be encrypted, it prevents many investigators from being able to quickly locate and isolate the source of the infection.

How Ryuk ransomware is distributed

The initial infection of Ryuk ransomware is performed through TrickBot, which typically uses spam email to distribute infected code into the victim’s machine. These emails are sent from spoofed email addresses to trick victims into opening a weaponized document attached to a phishing email, for instance.

Opening the document causes a malicious macro to execute a PowerShell command that attempts to download a banking trojan like TrickBot. Some trojans have the ability to download additional malware and spyware onto an infected machine.

Attackers can then collect admin credentials, which allows them to move across to critical assets connected to the network. Ryuk is then executed on each of these assets, crippling resources, files, and systems.

Ryuk ransom notes

Now for the attackers’ big juicy moment: the ransom note. Ryuk attackers always leave a ransom note demanding that hundreds of thousands of dollars be transferred to a specific Bitcoin (BTC) wallet address.

The Ryuk ransom note is usually written to a file named “RyukReadMe.txt.” The body of the note contains the following information:

1. A warning that your network has been penetrated.
2. That all files on each host in the network have been encrypted with a strong algorithm.
3. That your backups were either encrypted or deleted or that backup disks and shadow copies were formatted or removed.
4. Warnings that there is no publicly available decryption software to reverse the attack and not to reset, shut down, rename, move, or delete “readme” files because this may lead to never recovering your files.
5. And finally an email address (often Tuta or ProtonMail) to contact to decrypt your files and the Bitcoin wallet address.
6. The ransom note is starkly signed – “Ryuk, No system is safe.”

Ransom payments

Based on transactions to known Ryuk BTC addresses, the ransom demand can vary. Researchers have suggested that the ransom amount is calculated on the size and value of the company that it attacks.

In 2019, Ryuk ransom demands were between $130,000 and $450,000 for two Florida cities affecting emergency services and admin systems.

In 2020, Ryuk attacked the Baltimore County Public System and over 250 medical facilities in the US. While both companies haven’t admitted to paying a ransom, they’ve reported that it cost them $10 million and $67 million to recover from the attacks but it’s still unclear if that money was spent paying ransoms.

Types of Ryuk ransomware

A new 2021 variant

A new variant of Ryuk ransomware emerged in January 2021, with self-replicating “worm-like” capabilities. Previous versions of Ryuk were not able to move laterally through a network, requiring them to move manually, instead.

A computer worm can spread copies of itself from device to device without human interaction or the need to root itself in a specific program. This means that the new Ryuk variant can move automatically through networks, spreading infection.

Note: This new variant of Ryuk is currently limited to Windows machines.

A short history of Ryuk ransomware

Hermes ransomware, 2017

Hermes ransomware, the predecessor of Ryuk, was first created in February 2017, and it was instantly feared. Just one month after its release, a decrypter was written for Hermes, followed by the release of Hermes version 2.0 in April 2017 and version 2.1 in August 2017.

The only way for a victim to recover files is with the private encryption key, which can only be received by paying an eye-wateringly high ransom.

Ryuk ransomware, 2018

In mid-August 2018, a modified version of Hermes, coined Ryuk, began to appear in a public malware repository.

Ryuk was built to target large companies, and some modifications even include removing anti-analysis checks. So Ryuk can stop a machine from debugging its systems as well as performing vital checks like seeing if the host is running VirtualBox and ensuring that the host language hasn’t changed to Russian or Belarusian.

Similarities between Hermes and Ryuk ransomware

The key difference between Hermes and Ryuk is that Ryuk uses a second embedded public RSA key. But they still have a lot in common. They both:

• Encrypt files using RSA-2048 and AES-256
• Store keys in the executable using the Microsoft SIMPLEBLOB format
• Encrypt mounted devices and remote hosts
• Use the file marker “Hermes” to mark or check if a file has been encrypted

Who is behind Ryuk ransomware?

Intelligence suggests that the hacker group WIZARD SPIDER is behind Ryuk ransomware.

WIZARD SPIDER could be operating from Russia, since Hermes was originally advertised on “exploit(.)in.” This Russian-speaking forum is a well-known marketplace for selling malware to criminal gangs.

Also, during a forensic investigation of a network breached by WIZARD SPIDER, artifacts were recovered with filenames in Russian. One of these files was named “!!! files dlya raboty !!!” which translates to “files for work.”

The biggest Ryuk ransomware attacks

Ryuk ransomware has been causing chaos for over three years. Here are three of the biggest and worst Ryuk attacks that we know of.

#3 May 2021, Volue

When Ryuk attacked Norwegian energy tech firm Volue, 85% of the country’s population suffered the effects. The attack impacted systems infrastructure for Norway’s water and wastewater facilities in over 200 municipalities.

#2 September 2020, Universal Health Services

The aftermath of this devastating attack cost the UHS, one of the largest healthcare providers in the US, $67 million to recover from. Patients were forced to go to other emergency rooms, and test results and appointments were delayed.

#1 November 2020, the Baltimore County Public School System

Hearing that the school had a $1.5 billion budget is probably what allowed WIZARD SPIDER to park any sense of humanity the group might have had. Attacking it a few days before Thanksgiving, all remote school services were disrupted. The downtime apparently cost the school $10 million to recover.

How to prevent Ryuk attacks

The initial infection often starts with a spam email, so learning to differentiate spam from the real deal is crucial. But we can take many other more technical actions to prevent these nasty Ryuk attacks.

1. Check your network logs

Your network logs may indicate foul play, and since Ryuk attackers begin by encrypting files outside of the main host, you might be able to catch any strange behavior early on.

2. Backup your data

Always create secure backups of your data on a regular basis. It’s best to use cloud storage with high-level encryption and multi-factor-authentication to properly secure your precious resources. You could also back up your data on external hard drives, but make sure they’re physically disconnected from your main devices at work after backing up or else they could become infected too.

3. Protect your network

It’s crucial to protect on your network because that’s where the Ryuk processes are executed and where the files get encrypted. Some anti-malware/antivirus tools block ransomware from holding files hostage and even offer rollback technology designed to reverse the effects of ransomware.

3. Use a VPN

NordLayer is the first VPN to include Threat protection, when you switch on the app it actively protects you against malware and other threats to your network. You can use it on laptops, tablets, smartphones, and PC’s and is especially designed for company-wide use.