Inside the Ryuk ransomware - Security Boulevard

Inside the Ryuk ransomware

What is Ryuk?

Ryuk is a ransomware sample that has been making the rounds recently. It is designed to be used in targeted attacks and has no ability to move laterally through the network (though it can encrypt network drives from an infected computer).

Ryuk is commonly dropped by another malware sample and is often associated with Emotet and Trickbot. There’s typically a delay between the initial infection of the target machine and the beginning of Ryuk performing file encryption. This delay allows the attacker to perform other types of exploitation of the infected machine and reconnaissance to determine if the infected machine is a viable target for a ransomware infection. 

Since a great deal of the Ryuk ransomware’s attack process is performed manually (direct exploitation, payment requests handled via email and so on), the attackers don’t want to waste time dealing with targets that are unlikely to provide an adequate payoff.

How does Ryuk work?

The Ryuk ransomware is based on the Hermes ransomware. This link is well-supported by a variety of different features of Ryuk. For example, Ryuk uses the same format to mark encrypted files as Hermes (using the string HERMES), has a similar structure in its encryption algorithm, and includes a whitelist value that only makes sense if Ryuk is derived from Hermes. 

However, Ryuk also has several features that are different than Hermes. Over time, the malware has evolved to be more distinct from its parent.

The execution of the Ryuk ransomware can be broken up into three main stages: the dropper, setup of the ransomware binary and the file encryptor process.


A Ryuk malware infection starts with a malware dropper. The goal of this initial executable is to ensure that the malware running on the system is suited to it.

The (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: