Everything You Need To Know About Ryuk Ransomware

Home » Cybersecurity Blog » Everything You Need To Know About Ryuk Ransomware

ryuk ransomware
Ryuk is a ransomware that has targeted several large organizations demanding payment in bitcoins. Find out more about the Ryuk Ransomware and how you can prevent it. Read More
Ryuk is a ransomware that has targeted several large organizations demanding payment in bitcoins. Find out more about the Ryuk Ransomware and how you can prevent it. 

ryuk ransomware

Ryuk ransomware is well-planned and targeted ransomware that attacks large organization for a high ransom in return. The ransom is in the form of bitcoin. Unlike general ransomware, which is regularly distributed through large spam campaigns and exploit kits, Ryuk is used only for custom attacks.

The encryption scheme is designed for smaller operations, so only important resources are infected in each target network. Attackers manually infect and distribute. Ryuk code is unique as it identifies and encrypts network drives without leaving shadow copy at endpoints.

Ryuk Origins

First discovered in August 2018, this 15 months malware has collected total ransom from victims of almost 705.80 BTC across 52 transactions ranging from 15 BTC to 50 BTC for the total current value of USD 3,701,893.98. On 15th October 2018, Onslow Water and Sewer Authority (OWASA) was attacked by Ryuk that disrupted their network.

Later in December, Tribune Publishing newspapers were hit by Ryuk that restricted them from printing their papers. US Defense Contractor is the latest to be targeted by Ryuk on 31st January 2020.

ryuk “Ryuk” was a name that was once a unique fictional character in popular Japanese comic books has now become a threat to many international organizations. But this factor is insufficient to link this malware to a Japanese origin. Instead, observing similarities in code, structure, attack vectors, and languages Cyber Point security researchers found a major connection between Ryuk and Hermes ransomware which now operates Lazarus Group, a North Korean APT group.

Who is Behind Ryuk Ransomware?

According to CrowdStrike, the hacking group behind Ryuk is named as GRIM SPIDER which is believed to be a small part of a Russian group known as WIZARD SPIDER.

How Does Ryuk Work?

Ryuk dropper contains a payload for both 64-bit and 32-bit operating systems. Using the “IsWow64Process” API, dropper confirms the type of operating system and its version being used and drops the payload. The payload is then executed using the “ShellExecuteW” API. A registry key is generated by Ryuk that executes on every login. This registry key is as follow:

“”C:\Windows\System32\cmd.exe” /C REG ADD “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “svchos” /t REG_SZ /d “C:\Users\Public\{random-5 char}.exe” /f

In several remote processes, the main Ryuk’s code is injected except the processes named explorer.exe, lsaas.exe and csrss.exe. Ryuk Ransomware ends the process and stops the services included in the predefined list. These processes and services are mainly antivirus tools, databases, backups, and other software. To stop the infected system from restoring, Ryuk uses .BAT file that deletes the backup storage files and shadow copies. Ryuk uses RSA and AES encryption algorithms with three keys for encryption.

Cyber Threat Actors (CTA) use a globally dedicated RSA key as the basis for their model. The second RSA key is passed to the system through the main payload. This RSA key has been encrypted using CTA’s dedicated global RSA key. Once the malware is ready for encryption, an AES key is created for the victim’s file, and the key is encrypted with a second RSA key. Ryuk then began analyzing and encrypting each drive and network share on the system. Eventually, a ransom record “RyukReadMe.txt” is created and placed in each folder on the system.

Following events were observed on the victim’s system:

  • The hidden PowerShell script runs and connects to the remote IP address.
  • PowerShell anti-registration script runs on the host.
  • Network discovery is done using standard Windows command-line tools and loaded external tools.
  • The lateral movement will continue until you gain access to the domain controller.
  • PSEXEC is used to send Ryuk binary files to various hosts.
  • Run the batch script to end the process/service and delete the backup, then run the Ryuk binary.

Therefore, the exploit itself must be carefully designed. A standard encryption file AES-256 is used with a ransom note “RyukReadMe”. This contains two email addresses through which you will be contacted. Although some early infections require a certain amount, subsequent infections wait for contact before submitting a request. This may be a useful strategy because attackers can negotiate higher redemption prices. Before the device becomes infected, Ryuk Ransomware stops 180 services and more than 40 processes running on the system. The malware performs delete tasks and clear shutdown commands against a given list of processes and services. Some of the behaviors would be:

  • Bypass anti-virus products.
  • Be persistent on the target computer.
  • By injecting a Windows process, it works like a legitimate process.
  • End the process.
  • Out of service.
  • Functional file show different extensions for example, my.docx.locked

How to Remove Ryuk Ransomware

Manual removal techniques are not appreciated for the removal of Ryuk Ransomware. Make sure to remove Ryuk ransomware from the system using professional tools. SpyHunter 5 or Malwarebytes are the two software that is recommended by the experts to fight against such complicated malware. Even after the removal of Ryuk Ransomware, files on the system are still encrypted. This is because you will need the decryption key which is required to recover the locked data but unfortunately, the remote server that contains the decryption key is under control of the ransomware crew.

To access target, phishing emails are used by this malware. To get more ransom, a large number of such messages are sent to companies plus to increase the number of encrypted files. Therefore, your system gets infected just as you click the infected email. To gain your trust, these messages may contain professional logos and pretend to be sent by well-reputed organizations like Lloyds Bank, HSBC, and similar companies. Your careless behavior can cause you a substantial loss.

Here are some tips:

  • While browsing the internet or downloading software, pay close attention.
  • Be careful while opening an unknown email. Think twice before opening a suspicious email.
  • Only use official and verified sources when downloading software.
  • While downloading or updating the software, only use direct links and avoid third-party installers.
  • A recommended antivirus or spyware is essential and that should be regularly updated.

Some other methods to remove Ryuk are:

  • Using safe mode with networking
  • Using system restore

Can You Prevent Ryuk Ransomware?

With the proper tools, technology, and people watching your network, it will be possible to prevent Ryuk from infecting your internal systems. We recommend starting with a framework like NIST to create a baseline for any future security decisions. Adding tools like managed SIEM, MDR, and managed patch and vulnerability tools plus a team of security professionals constantly watching your network could prevent the RYUK Ransomware from being found on your network.

To help determine where to begin, start with a security risk assessment. We’ll provide recommendations to create a foundation for future strategic security decisions.


All-in-One Cybersecurity

Related Posts
Security Benefits of Identity and Access Management (IAM)
identity and access management

Identity and Access Management or Identity Access Management (IAM) is a critical security function for organizations of all sizes for Read more

The Case For Cyber Threat Hunting
cyber hunting

Cyber threat hunting is the process of actively seeking out potential threats in your network and eliminating them before they Read more