What is Ryuk Ransomware?

Ransomware breaches your device, encrypts your data, and demands a ransom to restore access. Ryuk ransomware is an advanced variant that specifically targets high-profile victims who are likely to pay large ransoms. Discover what Ryuk ransomware is, its origins, and how it spreads.

What is Ryuk ransomware?

Ryuk ransomware is a form of malware that targets high-value entities, encrypting their files and demanding a ransom for their release. Named after a character from the manga series Death Note, Ryuk attacks have impacted businesses, governments, and public institutions such as hospitals and schools.

Like all ransomware, Ryuk can cause severe damage, particularly to organizations with critical digital assets—such as hospitals dependent on electronic records for medication or utility plants controlling water systems remotely.

Recently, attacks have become more aggressive, with vulnerable targets increasingly in the crosshairs. While the exact perpetrators remain unknown, many sources attribute Ryuk ransomware to Wizard Spider, a cybercriminal group based primarily in Russia.

What’s the history of Ryuk ransomware?

Ryuk ransomware made its debut in August 2018, encrypting files across numerous small municipalities, logistics companies, and technology firms globally. Although this marked the ransomware’s first public appearance under the Ryuk name, cybersecurity experts have traced its code structure to the Hermes ransomware strain, which was identified in 2017.

By 2021, Ryuk ransomware evolved with a troubling new variant that includes worm-like capabilities. These computer worms can spread between systems autonomously, accelerating the attack process and enabling hackers to inflict widespread damage more easily.

How did Ryuk emerge and how does it spread?

Ryuk ransomware attacks typically start with phishing emails. Targeting individuals with access to enterprise systems, Ryuk attackers use spear phishing campaigns to seek substantial payouts.

The process begins with hackers identifying high-value targets and sending seemingly innocuous emails containing malicious links. These links may lead to an attachment that appears to be a normal Word document but actually releases Trojan malware like Trickbot or Emotet upon opening.

This initial malware isn’t the ransomware itself but enables the attacker to gain control of the victim’s machine, setting the stage for the deployment of the Ryuk ransomware payload later. Ryuk then spreads laterally within the network, infecting additional systems.

Once embedded in the network, Ryuk hackers covertly gather admin credentials and identify domain controllers to maximize the ransomware’s impact when it is eventually deployed.

When executed, Ryuk ransomware encrypts files, data, and system access, rendering them inaccessible. It also disables the Windows System Restore function, forcing victims to choose between losing their data or paying the ransom. The sudden and severe nature of the attack often leads many to pay, making Ryuk one of the most notable ransomware threats.

Initially, Ryuk attacks were manually operated, with hackers using traditional hacking techniques. However, recent developments suggest that Ryuk now spreads autonomously like a worm, although the initial breach still relies on classic social engineering tactics such as phishing, spam, and spoofing.

Examples of Ryuk ransomware attacks

Ryuk ransomware attacks generally target large public or private organizations, hitting them in a coordinated manner. Affected regions include the US, UK, Germany, Spain, France, and Australia.

By early 2021, Bitcoin transaction analysis from known Ryuk addresses revealed that the hackers had extorted over $150 million in ransom payments. Notable Ryuk ransomware attacks have impacted municipalities, educational institutions, tech and energy companies, and hospitals.

• December 2018: Media outlets using Tribune Publishing software, such as the LA Times and parts of The Wall Street Journal and New York Times, were attacked. The aim seemed to be disabling infrastructure rather than stealing data.
• March 2019: Jackson County, Georgia, had its entire municipal network taken offline, except for emergency services. Officials decided to pay a $400,000 ransom after consulting with cybersecurity experts.
• June 2019: Ryuk ransomware hit two Florida cities, Riviera Beach and Lake City, weeks apart. The attacks affected emergency services and water facilities. Both cities paid ransoms of $600,000 and $460,000, respectively.
• July 2019: La Porte County, Indiana, experienced a Ryuk attack and paid $130,000 to restore their systems.
• July 2019: New Bedford, Massachusetts, faced a $5.3 million ransom demand. The city offered $400,000, which was rejected, and chose to recover the data independently.
• December 2019: Ryuk ransomware attacked over 700 Spanish government offices, disrupting hundreds of thousands of appointments and access to public services.
• January 2020: Electronic Warfare Associates, a supplier to the US Department of Defense, was attacked. The breach was exposed when encrypted files and ransom notes were discovered in Google search results.
• March 2020: Epiq Global, a legal services firm, had 80 offices worldwide hit by Ryuk. Client access to crucial legal documents was blocked, but it is unclear if a ransom was paid.
• September 2020: Ryuk ransomware attacked over 250 medical facilities operated by Universal Health Services (UHS), causing patient rerouting and delays. The recovery cost UHS $67 million.
• November 2020: K12 Inc., serving over one million students, had personal data compromised and threatened with leaks. K12 confirmed paying an unspecified ransom to protect student privacy.
• November 2020: The Baltimore County Public School system, serving over 115,000 students, was hit before Thanksgiving, disrupting remote education. No ransom was paid, but recovery costs approached $10 million.
• May 2021: Norwegian energy tech firm Volue was attacked, impacting water and wastewater facilities in over 200 municipalities, affecting nearly 85% of Norway’s population.
• June 2021: Liège, Belgium’s third-largest city, experienced a Ryuk attack disrupting administrative services related to identity cards, passports, and civil permits.

Technical Analysis of Ryuk Ransomware Functionality

Ryuk ransomware files are marked by the extensions .ryk or .rcrypted. For example, an encrypted file might look like filename.xls.ryk.

Ryuk uses a three-tier encryption model:

• Tier 1: A global key pair controlled by the attackers, with the private key provided only after the ransom is paid.
• Tier 2: A key pair specific to the victim, created during the encryption process.
• Tier 3: A standard AES key, generated using the Win32API function CryptGenKey, then encrypted with the Tier 1 and 2 keys.

Attackers use encrypted email services to avoid detection, frequently changing their addresses with each attack.

How to protect yourself against Ryuk?

• Train users to avoid unexpected emails and attachments: User errors are a common entry point for malware, including Ryuk. Often, infections begin when a user opens or downloads a malicious email attachment, leading to TrickBot or Emotet infections. Providing security training can help prevent these mistakes.
• Analyze systems for existing infections: Ryuk attacks often exploit networks already infected with TrickBot or Emotet. Regular anti-malware scans can help detect these preexisting infections and allow administrators to isolate compromised devices.
• Implement a Zero Trust security model: In a Zero Trust environment, no device is trusted by default, and continuous re-verification is required. This approach restricts access for infected devices, helping to prevent broader network breaches.
• Regularly back up files and data: Having regular backups enables organizations to recover data without paying a ransom or reconstructing their IT infrastructure.

While no method can guarantee complete prevention of Ryuk ransomware attacks, these practices significantly reduce the risk of infection.

FAQ’s

What is Ryuk ransomware?
Ryuk ransomware is a type of malware that targets high-profile victims by encrypting their files and demanding a ransom for their release. It’s named after a character from the manga series Death Note. Ryuk attacks have affected various entities, including businesses, governments, and public institutions like hospitals and schools. It can cause severe disruptions, especially for organizations that rely heavily on digital assets.

How did Ryuk ransomware first appear?
Ryuk ransomware was first identified in August 2018, impacting numerous small municipalities, logistics companies, and technology firms globally. Though it debuted under the Ryuk name, its code structure is linked to the Hermes ransomware strain, discovered in 2017. By 2021, Ryuk evolved to include worm-like capabilities, allowing it to spread autonomously between systems.

How does Ryuk ransomware spread?
Ryuk ransomware often spreads through phishing emails. Attackers use spear phishing to target individuals with access to valuable systems. The attack typically starts with an email containing a malicious link or attachment, which, when opened, deploys Trojan malware like TrickBot or Emotet. This malware then helps the attackers gain control over the victim’s machine, setting the stage for Ryuk ransomware to encrypt files and spread throughout the network.

Conclusion

Ryuk ransomware represents a serious and evolving threat, specifically targeting high-profile victims with substantial ransom demands. By understanding its methods, origins, and impact, organizations can better prepare themselves against these attacks. Implementing robust security practices, such as training users, performing regular system scans, and employing a Zero Trust model, can significantly mitigate the risk. While no system is entirely immune to ransomware, proactive measures can greatly reduce the likelihood and impact of a Ryuk ransomware infection, safeguarding critical data and maintaining operational integrity.