What is Ryuk Ransomware? Here’s What You Need to Know

Ryuk is a sophisticated ransomware strain that has been targeting high-profile organisations since 2018.

Like other forms of ransomware, Ryuk encrypts data on an infected system, rendering the information inaccessible until the organisation makes a ransom payment to the attackers, who then provide a decryption key.

Ryuk typically targets large organisations that are able to pay large sums of money to regain access to their systems.

By 2020, the average payment demanded during Ryuk infections was $1,339,878 (about £965,000). This is more than ten times higher than the average ransomware demand of $111,605.

Who is behind Ryuk ransomware?

Ryuk first appeared in August 2018, although its software is based on a ransomware strain known as Hermes, which has been sold on the dark web since at least 2017.

Cyber security experts initially suspected that the creators of Ryuk were North Korean, but research published in 2020 revealed that the ransomware is of Russian origin.

The most frequent users of Ryuk are a cyber crime gang that goes by the name Wizard Spider.

The group is estimated to have approximately 80 members, who are predominantly based in Saint Petersburg in Russia, although some members have ties to Ukraine.

Intelligence agencies believe that the group does not target organisations based in Russia. The software is reportedly programmed to uninstall itself if it detects that the target has an IP address in the former Soviet Union or if the organisation’s system uses the Russian language.

The gang are a target of Europol, Interpol, the FBI and the UK’s National Crime Agency.

Those agencies suspect that the use of Ryuk outside of Russia has led to the country’s government tolerating – or even assisting – in its use.

Russian authorities have reportedly lent infrastructure and expertise to cyber criminals who use Ryuk to carry out attacks on Russia’s enemies.

How does Ryuk ransomware spread?

The US CISA (Cybersecurity and Infrastructure Security Agency) website provides detailed information on how Ryuk infects organisations.

Attacks typically begin with a phishing email containing an infected Microsoft Office document. If recipients open the document, it enables a malicious macro that executes a PowerShell command, which attempts to download the Emotet Trojan.

Emotet is a polymorphic banking Trojan that’s used to steal people’s personal and financial information. It can evade typical detection capabilities, making it virtually impossible to detect when machines have been infected.

The Trojan can also download additional malware onto an infected machine, allowing it to retrieve and execute a second Trojan, TrickBot – also known as TrickLoader.

These Trojans enable attackers to move through critical assets connected to the victim’s assets. The attackers then determine whether the organisation is large enough and compromised information valuable enough to justify holding it to ransom.

If they believe that’s the case, they deploy Ryuk and send the victim a ransom demand.

Unlike most ransomware strains, Ryuk is able to encrypt network drives and resources. It also disables the System Restore features of Microsoft Windows, which would otherwise allow the victim to restore the infected computer’s system files, applications and Windows Registry to a previous, unencrypted state.

In 2021, a new strain of Ryuk was discovered that features worm-like capabilities. This enables the ransomware to self-propagate and to distribute to other devices on the local database.

Ryuk ransomware note (source: Malwarebytes)

Once Ryuk has taken control of a system, it encrypts the stored data and makes it impossible for the victim to access that information.

There is no publicly available tool that enables victims to decrypt Ryuk, meaning that unless the victim has an isolated backup of the data, the only way to regain access to the information is to pay the ransom.

Like many cyber criminal gangs, Wizard Spider demand payments in bitcoin, which prevents transactions from being traced.

Although organisations might feel as though they have no choice but to negotiate with attackers, experts generally urge organisations not to pay up.

There are several reasons for this. First, there is no guarantee that the criminals will keep their word. In some cases, the attackers don’t provide the decryption key even once you’ve paid up. Meanwhile, other criminal hackers leak sensitive data regardless of whether you pay.

There have also been cases where the ransomware has contained bugs that make it impossible to decode the data using the decryption key.

How to protect against Ryuk

One of the keys to ransomware prevention is anti-malware and antivirus software. These tools detect attempts to install malicious software on devices, helping organisations prevent attacks before it’s too late.

However, as ransomware becomes increasingly sophisticated, the benefits of antivirus software diminish.

In a study of ransomware, Microsoft found that many successful intrusions leveraged malware and tools that are already detected by antivirus.

The report found that, in those cases, organisations failed to adopt additional measures to mitigate the risk. This includes a lack of firewall protection, weak domain credentials, a failure to adopt multi-factor authentication and non-randomised local admin passwords.

Microsoft observed that IT teams often avoid these protections deliberately, “because there is a fear that security controls will disrupt operations or impact performance”.

To prevent this from happening, organisations must understand the threat that ransomware poses and the steps that they must take to avoid infections.

Staff awareness training is an essential part of this process. It not only ensures that everyone in the organisation who’s involved in cyber security understands the threat of ransomware but also raises awareness across the organisation.

With regular training, you can be sure that staff keep security considerations at the centre of everything they do.

Moreover, because Ryuk and other ransomware strains are typically delivered in phishing emails, everyone in your organisation must play their part. If your staff can spot a fraudulent email and know what to do when they receive one, you can tackle the threat at the source.

Ransomware awareness training

Give your employees the tools they need to protect your organisation with our Ransomware Staff Awareness E-learning Course.

The course helps staff understand the threat of ransomware using examples, and demonstrates what organisations should do if they fall victim.

It also explains the main forms a ransomware attack can take and how they can be identified. Plus, you’ll receive guidance on anti-malware software and how it it fits within your organisation’s policies and procedures.