Ryuk Ransomware — Malware of the Month, January 2020

In the world of malware, Ryuk ransomware has gone from rookie to pro at a disturbing speed. Ryuk has achieved this status not on its capabilities, but the uncanny way it infects systems.

The January malware of the month, Ryuk, has a unique style of attack. It targets large entities by customizing the attack based on the victim, ensuring a high ROI in the process. Ryuk ransomware attackers like to target the big boys!

The state of Florida had to cough up $1 million worth of ransom to pay off Ryuk attackers. The situation was so bad that cities like Riveria beach were completely shut down: cops started giving paper tickets, 911 line was in a fix, the city’s water supply grid went offline, it bought the city to a grinding halt. Looking at how Ryuk affected Florida, many countries like the UK issued a Ryuk ransomware alert.

Ryuk ransomware is a problem. No two ways about it. But don’t get tempted to dive right into problem-solving mode. First, understand the issue of Ryuk, and that starts with asking the right questions.

  • What is Ryuk ransomware?
  • How Ryuk ransomware spreads?
  • How to protect your business from Ryuk ransomware?

A themed image for Ryuk Ransomware; a book with the Ryuk character's face on the front and binary code on the back.

What is Ryuk?

In the autumn fall of 2018, a modified version of Hermes ransomware was discovered: Ryuk. Both Hermes and Ryuk have similar characteristics. They identify and encrypt network devices along with deleting shadow copies stored on the endpoints. The only difference is how they create the encryption keys. While Hermes uses an RSA and private key pair, Ryuk uses a second RSA public key.

Ryuk ransomware is more lucrative than its predecessor. It targets large organizations and government agencies that end up paying up large amounts. The truth is, without the big payoffs, processing Ryuk attacks is not sustainable. It involves a high degree of manual processes (direct exploitation, payment requests handled via email, etc.) and the attackers don’t want to waste time if the ROI isn’t good.

How Does Ryuk Work? 

Ryuk ransomware is not the beginning, but the end of an infection cycle. It’s ransomware that comes into form, step-by-step, and when it strikes, it’s lethal.

Here’s how Ryuk Ransomware spreads:


It all starts with phishing emails, visiting a sketchy website, or clicking on a random popup. Bots like TrickBot and Emotet give direct access to the victim’s network. Emotet and TrickBot start spreading laterally through the network and deploy Ryuk ransomware. Generally, there’s a delay between the spread of bots and the deployment of Ryuk. This delay allows Emotet and Trickbot to steal sensitive information, making organizations vulnerable even before a Ryuk attack.

Binary Setup 

Once Ryuk ransomware is deployed, it checks if the system is suited for it. Dropped ransomware binary works on a fixed algorithm. The dropper identifies a system and runs a module (32 or 64 bit). Based on the results, it drops the malware versions that suit the system and runs it using ShellExecuteW.

File Encryption

Once attackers find a suitable system, two files are uploaded within a subfolder inside the directory:

  • PUBLIC: RSA Public Key
  • UNIQUE_ID_DO_NOT_REMOVE: Hardcoded Key

This is where Ryuk begins the encryption process.

It sweeps through the file systems and attached drives to initiate encryption using WNetOpenEnum and WNetEnumResource. Each file is encrypted, and the encryption key is destroyed after it has served its purpose.

Ryuk Ransomware Injection

Ryuk injects its code into various remote processes, and so begins the vicious cleanup. Using taskkill and netstop commands, it creates a preconfigured list of 40 processes and 180 services that are wiped out. These include antivirus tools, databases, backups, and other software.

Here’s a list of services stopped by Ryuk:

An image of a list of services stopped by Ryuk Ransomware.
List of services courtesy of Zscaler.

Ryuk Ransom Notes

Here are the following attributes of Ryuk ransomware note:

  • The ransomware note is written to a file named RyukReadMe.txt.
  • The template is static, however, the email address and Bitcoin wallet address may change
  • The emails are typically named after obscure actors and Instagram models

Ransom Payment 

It’s payday for hackers. The ransom amount is based on the size and value of the targeted organization. The ransom may vary but overall, the amount is still much higher than the average.

Tips to Protect Your Business from Ryuk 

The best way to protect your business from Ryuk is to avoid it. Avoidance comes when employees are educated in the matters of ransomware. Some employees do not receive the training, some do, and some know it all too well. Yet, human errors seem to be responsible for 90% of data breaches. Clearly, this tactic is not working.

Let’s talk about some of the practical ways to keep a church-state separation between your business and Ryuk ransomware.

Malware Scan

Go from the hunted to the hunter by proactively scanning your network for malware and resolving it before it causes any real damage.

Patch Management

Install and update patches to keep your systems secured across all endpoints. It’s difficult to drop malware when your system is patched with the latest security updates.

Network Segmentation

Losing network drives to a single endpoint infection signifies a weak security system. A smart tactic is to segment access to certain servers and files. In case of an attack, hackers would only get access to a limited part of your network.

The best ways to segment the network:

  • Provide access to specific mapped drives based on role requirements
  • Use third-party storing systems to keep vital shared files and folders outside the main network

Disable Macros

Macro is a special code that customizes specific bits of an email copy for each recipient such as first name or organization name. However, if you get an email with attachments, asking you to enable Macros to view them – don’t! If the attachment is infected, opening it will run the malware-ridden macro, giving attackers control over your computer.

Backup Your Data

Data living in your network will always be vulnerable to a Ryuk attack. That’s why you should backup a copy of your data to an external cloud. This will make you immune to ransoms as you can easily recover the original unencrypted version of the data.

The problem is, folks tend to skip manual backups from time to time. This can prove to be dangerous for businesses. Spanning protects you from Ryuk ransomware by offering Automated Backups. Following an initial backup, incremental backups are performed automatically in the background. At the same time, you should keep an eagle eye on the backup status from the single dashboard. Check backup health, flag issues, and resolve them accordingly.

Learn More About Spanning Backup

*** This is a Security Bloggers Network syndicated blog from Spanning authored by Shyam Oza. Read the original post at: