Ryuk Ransomware: What To Do If You’re Infected

Graphic for Tetra Defense Ransomware 101: Ryuk


What is Ryuk Ransomware?

“Ryuk” is a malicious variety of ransomware/malware that began to surface in August 2018. It has gained notoriety for its disruptive and high-profile targeting of large organizations and businesses. Ryuk is unique in that it specifically targets enterprise organizations in a so-called “big game hunting” strategy, which aims to achieve a high-value ransom for minimal effort on the part of the threat actor.

Unfortunately, Ryuk’s big game hunting strategy appears to work quite well. There is evidence to suggest that the threat actors are accruing much larger profits for less effort by using Ryuk over other strains of ransomware. In December 2018, the FBI released a security bulletin announcing that over 100 U.S companies had been hit with Ryuk. Ryuk continues to be an active ransomware threat and poses a significant risk to enterprise-level organizations.

Research conducted by CrowdStrike discovered that $4,000,000 worth of bitcoin was sent to bitcoin wallets identified within Ryuk ransom notes. These figures are the reported payouts made by businesses and insurance companies between August 2018 and January 2019 only, meaning that more unreported payments may have been made during that time and that more payments have certainly occurred since.

Security experts believe that Ryuk is a mutated version of a pre-existing malware called Hermes2.1 ransomware and that it utilizes Trickbot as part of the exploitation. The source code is for sale on darknet forums, and recent comparisons indicate that Ryuk contains much of the Hermes source code.

Ryuk is named after a manga character from the Japanese movie Death note. The hacking group “Grim Spider” is suspected to be behind the spread of the malware. Grim Spider appears to calculate the ransom amount based on the size and monetary assets of the victims.

Several high profile companies have been affected by the outbreak of Ryuk, including the New York Times, LA Times, Lake City, Florida, DCH Hospitals, and Georgia’s Judicial Council.

How Does Ryuk Ransomware Work?

Ryuk is a very complex and clever piece of malware. The first compromising tactic commonly uses Emotet and Trickbot malware embedded within macros of Microsoft

based email attachments. Once a user opens the rogue attachment, a PowerShell script is spawned, which disables AV services and uses Trickbot to harvest data and steal user credentials.

The ransomware payload is then discreetly downloaded from cloud storage. Next follows a reconnaissance period during which the malware lays dormant as the attacker investigates the victim’s network before dropping the Ryuk payload. Newer variants of Ryuk also upload sensitive files to an FTP server. Exploitation has also been seen using via brute force RDP attacks.

Once activated, the ransomware triggers an AES256- or RSA4096-bit encryption process, which enumerates network shares and encrypt all drives it can access. All non-executable files across the system are encrypted and renamed with the .ryk file extension. A ransom note is saved to each processed folder with the name RyukReadMe.

How Do I Prevent Ryuk Ransomware?

In protecting against a Ryuk ransomware infection, several security best practices can help you safeguard critical devices and networks. Tetra Defense recommends that you follow strict business processes and security practices to help prevent Ryuk from infecting your infrastructure.

  • System Inventory and Risk Analysis – An enterprise-level organization should possess a completed inventory of all business assets. The list should include servers, desktops, laptops, network equipment, and digital infrastructure. Cataloging your organization’s assets will allow you to create a baseline to work from in the event Ryuk strikes you. Ryuk targets vulnerable operating systems, and a risk assessment will identify security weaknesses and create a priority list of what to fix first.
  • Ditch End-of-Life Operating Systems – Running a modern, manufacturer-supported, and patched operating system is fundamental to cybersecurity. OS licensing can be expensive, but it is critical to have supported operating systems that enable the most recent security updates and operating system patches.
  • Patching – One of the best methods to protect against malware is to ensure that your infrastructure is patched to the very latest levels. This includes server patching, Windows updates, firmware, and microcode updates. Ryuk targets SMB security holes, which have been fixed in more recent security rollouts.
  • Application Updates – In-house software applications and business productivity suites must be updated, too. Ryuk can spread using targeted phishing emails to unsuspecting employees. Despite Ryuk’s ability to disable antivirus upon infection, you must still ensure that antivirus is installed and updated daily to guarantee the very latest threat prevention is in place.
  • Training – Don’t underestimate the importance of training all employees about the risks of ransomware. Though businesses can implement any number of technical security solutions, an employee may commit the cybersecurity equivalent of inadvertently leaving the front door unlocked. Training employees on phishing, scams, and the latest cybersecurity trends, as well as conducting social engineering tests on them, is very important.
  • Backups – If the worst does happen and you are impacted by ransomware, often the quickest resolution is to restore from backup. Regular and segregated offsite backups should be completed on a daily, weekly, monthly rotation to reduce the likelihood of the backups also becoming encrypted during a ransomware attack.
  • Disaster Recovery – We highly recommend that you create and test a disaster recovery plan for total outages caused by ransomware. This plan might include a high availability DR set up in a secondary site or with a cloud provider.
  • Penetration Testing and Social Engineering – This is a technique of testing external and internal computer infrastructure against all known vulnerabilities. Pen testing and vulnerability scanning will generate a list of recommended fixes needed to harden the infrastructure. Social Engineering training should include testing employees’ susceptibility to ransomware attacks.

How Do I Remove Ryuk Ransomware?

Nearly all antivirus products are now capable of blocking malware using real-time protection agents; fortunately, the Ryuk application hashes are known and easily detected by AV. There are many websites online that claim to be able to remove Ryuk, but most of these are fake scamming sites.

We strongly recommend that any machine that is infected be completely rebuilt from a backup. Restoring from a backup may cause short-term pain, but in the long term, you can be assured that all the malware has been removed during the rebuild process.

As discussed previously in this article, many enterprise organizations choose to pay the ransom as a last result. Upon a verified payment, the Ryuk Decryptor tool is sent to the victim. This tool can be unreliable and riddled with bugs but does sometimes successfully decrypt Ryuk encrypted files. Tetra Defense has the expertise to help your organization with the decryption process, including custom modification of the decryption programs if they fail, and can also assist with the negotiation and facilitate payment of ransom when deemed to be necessary.

Example of Ryuk Ransom Note

Screenshot of the Ryuk ransom note

Check out some related content on our blog: