Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
92
Global rank
84 infographic chevron month
Month rank
93 infographic chevron week
Week rank
0
IOCs

Ryuk is a Ransomware — a type of malware that encrypts files of the victim and restores access in exchange for a ransom payment. Operating since 2018, Ryuk has been continually carrying out successful targeted attacks on organizations, netting operators millions of dollars throughout its lifetime.

Ransomware
Type
Unknown
Origin
1 August, 2018
First seen
7 October, 2025
Last seen

How to analyze Ryuk with ANY.RUN

Type
Unknown
Origin
1 August, 2018
First seen
7 October, 2025
Last seen

IOCs

IP addresses
162.252.172.41
45.76.1.57
82.117.252.32
104.248.83.13
5.34.183.43
192.236.193.45
45.77.74.90
104.156.255.79
149.28.50.31
45.32.161.213
45.63.8.219
109.236.92.162
137.184.97.29
185.254.121.157
Hashes
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
15df3e84e351cb4bfbe92d07e286b6603950712907a8e7ca776d3b782f3a6aa0
a9643eb83d509ad4eac20a2a89d8571f8d781979ad078e89f5b75b4bcb16f65e
ff90b93b8b79c8fb881b489263d53dd69dd5b98211507a2956885d7c71e086a2
ec662c73279f4a3772e3e549b07bcd67803292981afae931df4b63d47f6ac2a9
d7b324dfead641207c85cb18cdfc00bbfd37932f27f41c3af441d6912f235849
e75622957decf1594c2cbe726ff0aaba4a509dab7b77721d3db16977f224ae4a
8f1389d380f8dca385e2ce1c35a58b17b79fe3844385203cf2ded6df5ee44c62
d540ddcaa68fc14a74ee37874eaea0987dbe19cd790d4d51a28ea1079f864bbf
bc1e7a135f5347dd05a0944a3c27c90b3f288ca0499080f625816a4412ac86a0
be766af9c0a40651f021e82136fad95e765a377cd56f45ae43e2c836b3e66bb7
7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed
90a0c09f00c69eb9130afa13fffd651ab55737e9a4df93e88b9d3954b9322c74
0b1008d91459937c9d103a900d8e134461db27c602a6db5e082ab9139670ccb6
fe0de9a669050700bb637fdfef8a44b3717f6ab52b3825981952e108f9e03d24
bddaf6020f8df169e1901c709701240f1a810d0e0fcec7d4479d5354360e1795
6c8d025ed75bd139bceda7da3f0fcaef155b9e0d2f6d2e9df992fa06ca2769a2
a1cbf76b51484e2779860b3c2bca65cd7ee79a3225d1005885739915c8c3603d
e803f1a1acf079ff2ca62e02c924840a9334336e762b0992123035427ffbf894
12ecee51ba6eacabf685b04552d47c674c4456bd913dc04acfb3aa38853c75cc
Domains
contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion
chainnss.com
mn.fastbloodhunter.com
fastbloodhunter.com
new-office.org
msofficeupdate.com
raingamess.com
service-boostter.com
walkswithsierra.com
microsoftupdate.work
hashsystem.xyz
backup1nas.com
run-upgrade.monster
hustlernystripclub.com
removerchangefile.monster
download-firefox.us
ukumentary.com
update-chromeservices.com
run-tcp.net
mysocialsoftware.com
Last Seen at

Recent blog posts

post image
How to Grow SOC Team Expertise for Ultimate T...
watchers 188
comments 0
post image
Phishing, Cloud Abuse, and Evasion: Advanced...
watchers 549
comments 0
post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 3787
comments 0

What is Ryuk Ransomware?

Ryuk is a highly targeted Ransomware — a malware that encrypts files of its victims and demands a payment to restore access to information. Ryuk was first identified in august 2018 and remains active to this day. It attacks newspapers, public institutions, banks, restaurants, and other businesses.

Although it is not considered to be the most high-tech malware in its class, Ryuk Ransomware is very successful. In fact, according to the FBI, it is the number one Ransomware in terms of completed ransom payments.

Thanks to a highly targeted approach to distribution, the malware has managed to infiltrate thousands of PCs and yielded attackers millions of US dollars. In fact, some of the ransoms paid by organizations reach 400,000 US dollars.

Despite not being the most cutting-edge, Ryuk is not be toyed with.

General description of Ryuk Ransomware

The success of Ryuk Ransomware likely can be tied to its selective attack approach. While a lot of malicious programs nowadays are starting to move away from widespread email spam campaigns, Ryuk malware goes another step forward. Its attacks not only use collected information about the victim for initial payload delivery but even the encryption process is being tailored to each victim, targeting the most valuable files.

This fact indicates that operators behind Ryuk malware carefully study each victim and perform expensive scouting and network mapping.

On top of that, Ryuk Ransomware operators are flexible with Ransom demands and adjust not only the ransom amount but also the ransom note context. At least two variants of the ransom note were observed since Ryuk Ransomware became active in 2018. One was well-written, almost polite, and quite long, used in an attack on a large organization with a high ransom demand. The use of a second variant was recorded in the majority of attacks on smaller victims. It is much shorter and uses more blunt and straightforward wording.

Some researchers expressed an opinion that this variation in ransom notes may indicate that the Ryuk Ransomware team uses two separate attack approaches with different complexity.

Preparing for attacks very carefully and learning about each victim allowed the Ryuk malware team to carry out successful campaigns with huge ransom demands. According to some data the average demanded ransom amount is around 674,039 US dollars, while the highest recorded ransom demand was over a million US dollars.

It is not exactly obvious who stands behind this Ransomware. Some evidence and code similarities to another Ransomware called Hermes point towards a North Korean APT, Lazarus Group. However, this is not hard evidence, considering that a sample of Hermes could have fallen into the hands of another criminal and serve as a base for Ryuk's development.

Other reports based on more recent data link Ryuk Ransomware to a Russian criminal group named WIZARD SPIDER, which is known for its work with TrickBot malware. For example, cybersecurity researchers found documents that contained Russian words in filenames while investigating a compromised network, that fell victim to Ryuk. This suggests that the WIZARD SPIDER hypothesis is more likely than the Korean connection.

Additionally, Ryuk checks the keyboard language and terminates execution if it detects Russian, Belarus, or Ukrainian languages, which can be used as a killswitch. This kind of behavior is typical for a malicious program that originated on an ex-USSR territory.

Ryuk malware analysis

A video recorded in the ANY.RUN malware hunting service allows us to watch the execution process of Ryuk malware in action.

ryuk_ransomware_text_report

Figure 1: Displays the text report generated by the ANY.RUN malware hunting service

ryuk_ransomware_ransom_note_variant

Figure 2: One of the variants of the Ryuk ransom note

ryuk_ransomware_ransom_note_variant

Figure 3: One of the variants of the Ryuk ransom note

ryuk_ransomware_ransom_note_variant

Figure 4: One of the variants of the Ryuk ransom note

Ryuk Ransomware execution process

The execution process of Ryuk is not much different from other ransomware such as WannaCry or Netwalker. After the executable file makes its way into an infected system and runs, the main malicious activity begins. Like many other ransomware families, Ryuk deletes shadow copy files. It also stops processes from the hardcoded list. Like other malware of this type, it creates a text or HTML file with a ransom note.

Ryuk Ransomware distribution

In many instances of confirmed Ryuk malware infections, the victim’s machine was also infiltrated by TrickBot. This led researchers to believe that Ryuk Ransomware makes its way into computers with TrickBot, which in turn is usually delivered through mail spam or with a Trojan Emotet.

This distribution method further supports the theory that Ryuk is operated by WIZARD SPIDER.

It is a known fact that the organization associated with Emotet is MUMMY SPIDER, which has been connected with the WIZARD gang in the past.

Conclusion

A high degree of personalization and a careful approach to victim selection made Ryuk Ransomware exceptionally successful. To date, malware operators behind the Ransomware have already collected over 64 million US dollars in payments, according to the FBI reports. The recipe for success is simple but solid — attackers choose successful businesses, that are definitely capable of paying the ransom and quite often will lose more money if they withhold the payment since their operation becomes completely frozen by the inability to access the most vital information.

Unfortunately, this means that a lot of the victims gave in to the demands of the criminals and unwillingly supported future attacks. It is a known fact, that besides capturing Ransomware operators, arguably the most important thing to do — is not paying the ransom.

Sadly, with the success that Ryuk malware has, it is unrealistic to hope that the attacks will stop in the near future. Therefore, the best thing to do now is to study this malware and prepare defense measures against it. Thankfully, ANY.RUN malware hunting service gives cyber teams all the tools they need to analyze Ryuk Ransomware in a secure online interactive sandbox.

HAVE A LOOK AT

Rootkit screenshot
Rootkit
rootkit bootkit
A rootkit is a type of malicious software designed to provide unauthorized administrative-level access to a computer or network while concealing its presence. Rootkits are tools used by cybercriminals to hide their activities, including keyloggers, spyware, and other malware, often enabling long-term system exploitation.
Read More
Trojan screenshot
Trojan
trojan trojan horse
Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.
Read More
Prometei screenshot
Prometei
prometei
Prometei is a modular botnet malware family that silently infiltrates systems, hijacking their resources for illicit Monero (XMR) mining. Active since at least 2016, it combines stealth, persistence, and lateral movement capabilities. Notable for its global reach and opportunistic infection strategy, it is also used for credential theft.
Read More
Tycoon 2FA screenshot
Tycoon 2FA
tycoon
Tycoon 2FA is a phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA) protections, particularly targeting Microsoft 365 and Gmail accounts. Its advanced evasion techniques and modular architecture make it a significant threat to organizations relying on MFA for security.
Read More
WhiteSnake screenshot
WhiteSnake
whitesnake
WhiteSnake is a stealer with advanced remote access capabilities. The attackers using this malicious software can control infected computers and carry out different malicious activities, including stealing sensitive files and data, recording audio, and logging keystrokes. WhiteSnake is sold on underground forums and often spreads through phishing emails.
Read More
Sality screenshot
Sality
sality
Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.
Read More