The Ryuk Ransomware

Ryuk is a ransomware family that first appeared in mid to late 2018.

In December 2018, the New York Times reported that Tribune Publishing had been infected with Ryuk, forcing it to stop printing operations in San Diego and Florida.

The New York Times and the Wall Street Journal were also affected by the attack, which caused problems in distributing the Saturday editions of the newspapers.


What is Ryuk ransomware?

As a variant of the old Hermes ransomware, Ryuk tops the list of the most dangerous ransomware attacks.

In the CrowdStrike 2020 Global Threat Report, Ryuk represents three of the top 10 largest ransom requests of the year: $ 5.3 million, $ 9.9 million, and $ 12.5 million.

Ryuk has successfully attacked sectors and companies around the world. Hackers call the practice of targeting large corporations “big game hunting” (BGH).

Ryuk ransomware is believed to be run by a Russian cybercriminal group known as WIZARD SPIDER.

UNC1878, a cybercriminal active in Eastern Europe, has been linked to some specific attacks in the field of health care.


How a Ryuk Attack Happens

The distribution of this ransomware is not direct: in fact, other malware is downloaded first in the infection.

When Ryuk infects a system, it first stops 180 services and 40 processes. These services and processes could prevent Ryuk from doing his job, so their arrest is necessary to facilitate the attack.

At that point, data encryption can take place: Ryuk encrypts files such as photos, videos, databases and documents, and all users’ critical data, using AES-256 encryption.

The symmetric encryption keys are then encrypted using asymmetric RSA-4096.

Ryuk can remotely encrypt, including remote administrative shares. In addition, it can issue wake-up LAN commands, waking computers to enforce encryption.

These capabilities contribute to the effectiveness and extent of its encrypting activities, as well as the damage it can cause.

Hackers send ransom demands in the form of files named RyukReadMe.txt and UNIQUE_ID_DO_NOT_REMOVE.txt.


Ryuk attack vector

Ryuk can use the Download as a Service (DaaS) mechanism to infect targeted systems.

DaaS is a service that one hacker offers to another. If a hacker develops ransomware but doesn’t know how to distribute it, other hackers with these skills help him distribute it.

Often, unwitting users fall into phishing attacks that facilitate the initial infection. AdvIntel reports that 91% of attacks start with phishing emails.

It is extremely important to train users to spot phishing emails. Training drastically reduces the chance of infection.

Ryuk is a software of the type Ransomware as a Service (RaaS) best known and known in terms of the extent of the infection.

Ransomware as a service (RaaS) is a model where ransomware developers offer their products for use by other hackers.

The developer receives a percentage of the successful ransom payments. RaaS is an adaptation of the Software as a Service (SaaS) model.

Once the user clicks on the phishing email, Ryuk downloads additional malware items called droppers. Additional malware includes Trickbot, Zloader, BazarBackdoor, and others.

These droppers are capable of installing Ryuk directly.

They might also install another malware like Cobalt Strike Beacon to communicate with a command and control (C2) network.

Ryuk downloads himself once the malware is installed and exploits ZeroLogon vulnerabilities on Windows servers.



Trickbot appeared in 2016 and is believed to be run by WIZARD SPIDER, the same hacker group that runs Ryuk.

This malware was used as a banking Trojan to steal user credentials, personal information, and bitcoins.

Trickbot was designed by experienced hackers, who made it useful for additional purposes, such as searching for files on an infected system.

It can also operate a side movement from one machine to another through the network.

Trickbot’s capabilities now include credential gathering, cryptocurrency mining, and more, but its most important function is to distribute Ryuk ransomware.


Indicators of Compromise (IoC)

The devastating consequences of ransomware can be dramatic, so it’s best to prevent an infection before it occurs.

This is not always possible, so operations personnel must be alert to detect the onset of an attack and take immediate action to prevent further damage.

Since Ryuk can infect a system through many different attack vectors, the work involved in detecting it is complicated.

There are many Indicators of Compromise (IoC) that allow network administrators and security officers to identify the precursors of a Ryuk infection. BazarLoader, a dropper, is a common entry point for Ryuk.

As mentioned earlier, TrickBot is another common entry point for Ryuk. One of its IoCs is an executable file whose name consists of 12 randomly generated characters.

Once TrickBot has created the file, for example, mnfjdieks.exe, it will be in one of these directories:





Best practice against Ryuk

There are many things companies and individuals can do to protect themselves from Ryuk.

Here are some examples:

  • Make sure that the operating system, software, and firmware patches are applied;
  • Use multi-factor authentication wherever possible, with robust secondary factors. An example is 2FA. The US National Institute of Standards and Technology (NIST) recommends not using SMS as a second factor;
  • Frequently check accounts, accesses, logs, and any other element available to verify configurations and activities;
  • Create regular backups of data and store them offline, especially for critical systems;
  • Educate users, in particular on the subject of phishing emails, as they are always at the forefront of receiving, reading, and replying to emails.