BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
57
Global rank
33 infographic chevron month
Month rank
29 infographic chevron week
Week rank
199
IOCs

Ryuk is a Ransomware — a type of malware that encrypts files of the victim and restores access in exchange for a ransom payment. Operating since 2018, Ryuk has been continually carrying out successful targeted attacks on organizations, netting operators millions of dollars throughout its lifetime.

Ransomware
Type
Unknown
Origin
1 August, 2018
First seen
19 April, 2024
Last seen

How to analyze Ryuk with ANY.RUN

Type
Unknown
Origin
1 August, 2018
First seen
19 April, 2024
Last seen

IOCs

IP addresses
162.252.172.41
45.76.1.57
82.117.252.32
66.42.76.46
185.254.121.157
109.236.92.162
5.34.183.43
137.184.97.29
45.77.74.90
104.156.255.79
45.63.8.219
149.28.50.31
45.32.161.213
104.248.83.13
Hashes
be766af9c0a40651f021e82136fad95e765a377cd56f45ae43e2c836b3e66bb7
0b1008d91459937c9d103a900d8e134461db27c602a6db5e082ab9139670ccb6
e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894
88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335
320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689
6e11d21b3eb33b182af496e8ea90f3b3396e2d1a8d11db6f1caaacc27b6b7a25
956246824d2fb2f5f4738c450e8d222042b08c3e5c67c3ec755bedf641b7b1c5
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f
b2f298d16917811409c0140cfed659baa2b8c14e1677da0444d6e658b5e6979c
dea1b54618643ffe59506398f0f131300abe0988da89b5414955843ae5b53fee
f8a8f431ef21e834e8394c3af827e12ac27069ef4a73836947c995e4c43a8ea0
3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca
d839eeaa5022351b31e99af5fe8e51d82820545fc0caddc417fe387f9989a24c
0ab020889b427c4acadabd81033b78738ee09cf755c11a6cc55b8338296c8014
1fcc6f01f4a82d12a844466a5429c64f7f9d5947fdedcda19692540e14fa2ea0
bddaf6020f8df169e1901c709701240f1a810d0e0fcec7d4479d5354360e1795
6c26b9e5df4b67ee90addd93f0f1a46bf32257f56a5c1a401e35809d31f4b199
b895399bdd8b07b14e1e613329b76911ebe37ab038e4b760f41e237f863b4964
05e06709523fd798da963c2c24254de0fcca6c57e1052996798ecc74ff43b41f
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a
Domains
run-upgrade.monster
myservicebooster.com
findtus.com
firsttus.com
backup1nas.com
removerchangefile.monster
updatewinsoftr.com
renovatesystem.com
topserviceupdater.com
iexploreservice.com
jomamba.best
lsassupdate.com
backup-simple.com
update-chromeservices.com
hustlernystripclub.com
service-checker.com
run-tcp.net
explore-me.xyz
download-firefox.us
ukumentary.com
Last Seen at

Recent blog posts

post image
New PowerShell Script Tracer: Analyze PowerSh...
watchers 450
comments 0
post image
Dmitry Marinov: ANY.RUN’s CTO on TI Lookup, S...
watchers 273
comments 0
post image
Malware Trends Report: Q1, 2024
watchers 1820
comments 0

What is Ryuk Ransomware?

Ryuk is a highly targeted Ransomware — a malware that encrypts files of its victims and demands a payment to restore access to information. Ryuk was first identified in august 2018 and remains active to this day. It attacks newspapers, public institutions, banks, restaurants, and other businesses.

Although it is not considered to be the most high-tech malware in its class, Ryuk Ransomware is very successful. In fact, according to the FBI, it is the number one Ransomware in terms of completed ransom payments.

Thanks to a highly targeted approach to distribution, the malware has managed to infiltrate thousands of PCs and yielded attackers millions of US dollars. In fact, some of the ransoms paid by organizations reach 400,000 US dollars.

Despite not being the most cutting-edge, Ryuk is not be toyed with.

General description of Ryuk Ransomware

The success of Ryuk Ransomware likely can be tied to its selective attack approach. While a lot of malicious programs nowadays are starting to move away from widespread email spam campaigns, Ryuk malware goes another step forward. Its attacks not only use collected information about the victim for initial payload delivery but even the encryption process is being tailored to each victim, targeting the most valuable files.

This fact indicates that operators behind Ryuk malware carefully study each victim and perform expensive scouting and network mapping.

On top of that, Ryuk Ransomware operators are flexible with Ransom demands and adjust not only the ransom amount but also the ransom note context. At least two variants of the ransom note were observed since Ryuk Ransomware became active in 2018. One was well-written, almost polite, and quite long, used in an attack on a large organization with a high ransom demand. The use of a second variant was recorded in the majority of attacks on smaller victims. It is much shorter and uses more blunt and straightforward wording.

Some researchers expressed an opinion that this variation in ransom notes may indicate that the Ryuk Ransomware team uses two separate attack approaches with different complexity.

Preparing for attacks very carefully and learning about each victim allowed the Ryuk malware team to carry out successful campaigns with huge ransom demands. According to some data the average demanded ransom amount is around 674,039 US dollars, while the highest recorded ransom demand was over a million US dollars.

It is not exactly obvious who stands behind this Ransomware. Some evidence and code similarities to another Ransomware called Hermes point towards a North Korean APT, Lazarus Group. However, this is not hard evidence, considering that a sample of Hermes could have fallen into the hands of another criminal and serve as a base for Ryuk's development.

Other reports based on more recent data link Ryuk Ransomware to a Russian criminal group named WIZARD SPIDER, which is known for its work with TrickBot malware. For example, cybersecurity researchers found documents that contained Russian words in filenames while investigating a compromised network, that fell victim to Ryuk. This suggests that the WIZARD SPIDER hypothesis is more likely than the Korean connection.

Additionally, Ryuk checks the keyboard language and terminates execution if it detects Russian, Belarus, or Ukrainian languages, which can be used as a killswitch. This kind of behavior is typical for a malicious program that originated on an ex-USSR territory.

Ryuk malware analysis

A video recorded in the ANY.RUN malware hunting service allows us to watch the execution process of Ryuk malware in action.

ryuk_ransomware_text_report

Figure 1: Displays the text report generated by the ANY.RUN malware hunting service

ryuk_ransomware_ransom_note_variant

Figure 2: One of the variants of the Ryuk ransom note

ryuk_ransomware_ransom_note_variant

Figure 3: One of the variants of the Ryuk ransom note

ryuk_ransomware_ransom_note_variant

Figure 4: One of the variants of the Ryuk ransom note

Ryuk Ransomware execution process

The execution process of Ryuk is not much different from other ransomware such as WannaCry or Netwalker. After the executable file makes its way into an infected system and runs, the main malicious activity begins. Like many other ransomware families, Ryuk deletes shadow copy files. It also stops processes from the hardcoded list. Like other malware of this type, it creates a text or HTML file with a ransom note.

Ryuk Ransomware distribution

In many instances of confirmed Ryuk malware infections, the victim’s machine was also infiltrated by TrickBot. This led researchers to believe that Ryuk Ransomware makes its way into computers with TrickBot, which in turn is usually delivered through mail spam or with a Trojan Emotet.

This distribution method further supports the theory that Ryuk is operated by WIZARD SPIDER.

It is a known fact that the organization associated with Emotet is MUMMY SPIDER, which has been connected with the WIZARD gang in the past.

Conclusion

A high degree of personalization and a careful approach to victim selection made Ryuk Ransomware exceptionally successful. To date, malware operators behind the Ransomware have already collected over 64 million US dollars in payments, according to the FBI reports. The recipe for success is simple but solid — attackers choose successful businesses, that are definitely capable of paying the ransom and quite often will lose more money if they withhold the payment since their operation becomes completely frozen by the inability to access the most vital information.

Unfortunately, this means that a lot of the victims gave in to the demands of the criminals and unwillingly supported future attacks. It is a known fact, that besides capturing Ransomware operators, arguably the most important thing to do — is not paying the ransom.

Sadly, with the success that Ryuk malware has, it is unrealistic to hope that the attacks will stop in the near future. Therefore, the best thing to do now is to study this malware and prepare defense measures against it. Thankfully, ANY.RUN malware hunting service gives cyber teams all the tools they need to analyze Ryuk Ransomware in a secure online interactive sandbox.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy