Ryuk

Ryuk is a Ransomware — a type of malware that encrypts files of the victim and restores access in exchange for a ransom payment. Operating since 2018, Ryuk has been continually carrying out successful targeted attacks on organizations, netting operators millions of dollars throughout its lifetime.

Type
Ransomware
Origin
Unknown
First seen
1 August, 2018
Last seen
29 September, 2022
Global rank
41
Week rank
23
Month rank
23
IOCs
102

What is Ryuk Ransomware?

Ryuk is a highly targeted Ransomware — a malware that encrypts files of its victims and demands a payment to restore access to information. Ryuk was first identified in august 2018 and remains active to this day. It attacks newspapers, public institutions, banks, restaurants, and other businesses.

Although it is not considered to be the most high-tech malware in its class, Ryuk Ransomware is very successful. In fact, according to the FBI, it is the number one Ransomware in terms of completed ransom payments.

Thanks to a highly targeted approach to distribution, the malware has managed to infiltrate thousands of PCs and yielded attackers millions of US dollars. In fact, some of the ransoms paid by organizations reach 400,000 US dollars.

Despite not being the most cutting-edge, Ryuk is not be toyed with.

General description of Ryuk Ransomware

The success of Ryuk Ransomware likely can be tied to its selective attack approach. While a lot of malicious programs nowadays are starting to move away from widespread email spam campaigns, Ryuk malware goes another step forward. Its attacks not only use collected information about the victim for initial payload delivery but even the encryption process is being tailored to each victim, targeting the most valuable files.

This fact indicates that operators behind Ryuk malware carefully study each victim and perform expensive scouting and network mapping.

On top of that, Ryuk Ransomware operators are flexible with Ransom demands and adjust not only the ransom amount but also the ransom note context. At least two variants of the ransom note were observed since Ryuk Ransomware became active in 2018. One was well-written, almost polite, and quite long, used in an attack on a large organization with a high ransom demand. The use of a second variant was recorded in the majority of attacks on smaller victims. It is much shorter and uses more blunt and straightforward wording.

Some researchers expressed an opinion that this variation in ransom notes may indicate that the Ryuk Ransomware team uses two separate attack approaches with different complexity.

Preparing for attacks very carefully and learning about each victim allowed the Ryuk malware team to carry out successful campaigns with huge ransom demands. According to some data the average demanded ransom amount is around 674,039 US dollars, while the highest recorded ransom demand was over a million US dollars.

It is not exactly obvious who stands behind this Ransomware. Some evidence and code similarities to another Ransomware called Hermes point towards a North Korean APT, Lazarus Group. However, this is not hard evidence, considering that a sample of Hermes could have fallen into the hands of another criminal and serve as a base for Ryuk's development.

Other reports based on more recent data link Ryuk Ransomware to a Russian criminal group named WIZARD SPIDER, which is known for its work with TrickBot malware. For example, cybersecurity researchers found documents that contained Russian words in filenames while investigating a compromised network, that fell victim to Ryuk. This suggests that the WIZARD SPIDER hypothesis is more likely than the Korean connection.

Additionally, Ryuk checks the keyboard language and terminates execution if it detects Russian, Belarus, or Ukrainian languages, which can be used as a killswitch. This kind of behavior is typical for a malicious program that originated on an ex-USSR territory.

Ryuk malware analysis

A video recorded in the ANY.RUN malware hunting service allows us to watch the execution process of Ryuk malware in action.

ryuk_ransomware_text_report

Figure 1: Displays the text report generated by the ANY.RUN malware hunting service

ryuk_ransomware_ransom_note_variant

Figure 2: One of the variants of the Ryuk ransom note

ryuk_ransomware_ransom_note_variant

Figure 3: One of the variants of the Ryuk ransom note

ryuk_ransomware_ransom_note_variant

Figure 4: One of the variants of the Ryuk ransom note

Ryuk Ransomware execution process

The execution process of Ryuk is not much different from other ransomware such as WannaCry or Netwalker. After the executable file makes its way into an infected system and runs, the main malicious activity begins. Like many other ransomware families, Ryuk deletes shadow copy files. It also stops processes from the hardcoded list. Like other malware of this type, it creates a text or HTML file with a ransom note.

Ryuk Ransomware distribution

In many instances of confirmed Ryuk malware infections, the victim’s machine was also infiltrated by TrickBot. This led researchers to believe that Ryuk Ransomware makes its way into computers with TrickBot, which in turn is usually delivered through mail spam or with a Trojan Emotet.

This distribution method further supports the theory that Ryuk is operated by WIZARD SPIDER.

It is a known fact that the organization associated with Emotet is MUMMY SPIDER, which has been connected with the WIZARD gang in the past.

Conclusion

A high degree of personalization and a careful approach to victim selection made Ryuk Ransomware exceptionally successful. To date, malware operators behind the Ransomware have already collected over 64 million US dollars in payments, according to the FBI reports. The recipe for success is simple but solid — attackers choose successful businesses, that are definitely capable of paying the ransom and quite often will lose more money if they withhold the payment since their operation becomes completely frozen by the inability to access the most vital information.

Unfortunately, this means that a lot of the victims gave in to the demands of the criminals and unwillingly supported future attacks. It is a known fact, that besides capturing Ransomware operators, arguably the most important thing to do — is not paying the ransom.

Sadly, with the success that Ryuk malware has, it is unrealistic to hope that the attacks will stop in the near future. Therefore, the best thing to do now is to study this malware and prepare defense measures against it. Thankfully, ANY.RUN malware hunting service gives cyber teams all the tools they need to analyze Ryuk Ransomware in a secure online interactive sandbox.

IOCs

IP addresses

No IP adresses found

Hashes
e74567b575ff61b948ca3e4d41c2a488c67f09bcc29de5e35302716d63796c54
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
9a4f0f3240a84efb9df9a66284da70079cbce648c1e415d34b9d1491016b80fb
a9643eb83d509ad4eac20a2a89d8571f8d781979ad078e89f5b75b4bcb16f65e
6c8d025ed75bd139bceda7da3f0fcaef155b9e0d2f6d2e9df992fa06ca2769a2
a1cbf76b51484e2779860b3c2bca65cd7ee79a3225d1005885739915c8c3603d
512d8954f25365af4e8ee7618119b93d3cf1b1067e00a6da742fa7767fcdc838
23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
473bcbcba12296b08b765b4f7c2beea5f56f263d5e6c0d15c1006af28f6172e8
40b865d1c3ab1b8544bcf57c88edd30679870d40b27d62feb237a19f0c5f9cd1
7d14b98cdc1b898bd0d9be80398fc59ab560e8c44e0a9dedac8ad4ece3d450b0
a7b6ec992319d6a222b77f085dddbf02e01c8093993dda6b3bb332a3ac75c1f8
be766af9c0a40651f021e82136fad95e765a377cd56f45ae43e2c836b3e66bb7
7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed
9e42c9cc5824f9c21f7e673dbd9c68dfc8cd11cf9cc4e2b1069d07cea1b30bdc
320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689
90a0c09f00c69eb9130afa13fffd651ab55737e9a4df93e88b9d3954b9322c74
1fcc6f01f4a82d12a844466a5429c64f7f9d5947fdedcda19692540e14fa2ea0
ea67e662ba55629b40d0eddbaaafc824e5809f31c9e35222104637a67615c51d
fe0de9a669050700bb637fdfef8a44b3717f6ab52b3825981952e108f9e03d24
Domains

No hashes found

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More