Ryuk Ransomware

What Is Ryuk Ransomware?

Named for a fictional anime character, Ryuk is a prominent strain of ransomware used by various APT groups in big-game hunting campaigns targeting hundreds of US and global organizations since 2017. Ryuk ransomware attacks demand an average of roughly ten times more ransom than other strains, have extorted hundreds of millions of dollars worth of Bitcoin (BTC) from its victims, and represent an estimated 20 percent of all ransomware infections worldwide—making it a prolific apex strain of ransomware.

Although initially attributed to North Korea, Ryuk's activity is primarily associated with Russian-speaking cyber-criminal groups, including Wizard Spider, FIN6, Lazarus Group, APT38, and TEMP.Mixmaster, and UNC1878. The fact that Ryuk removed its predecessor Hermes' restrictions on encrypting file extensions commonly used by Russian software is another sign that Ryuk originates from Russian cybercrime.

Although Ryuk is not publicly advertised as ransomware as a service (RaaS), its source code is sold on Dark Web forums to groups that customize it for their own RaaS operations. This has led to numerous Ryuk variants with diverse extended capabilities for sensitive data identification, data exfiltration, and lateral movement.

How Ryuk Works

Ryuk was derived from the Hermes 2.1 ransomware first detected in 2017 and still shares some original Hermes code. Once deployed, Ryuk establishes persistence by adding a Windows registry run key, injects itself into running processes to escalate privileges, and stops known antivirus software, databases, and backup service processes. 

Early versions of Ryuk were functionally limited, lacking first-stage, data exfiltration, and lateral penetration capabilities. Thus, Ryuk has typically been used in tandem with other malware toolkits having complementary attack functions. However, in 2021 a version of Ryuk was identified with worm-like capabilities and the ability to push wake-on-LAN signals to adjacent network devices, allowing Ryuk to activate network-accessible systems in standby/sleep mode remotely.

Several known infection vectors have been used to deploy Ryuk ransomware over its lifespan:

Trickbot -> Ryuk: Trickbot supports attacker goals such as spreading through the victim's network and stealing sensitive data, ending in a Ryuk ransomware attack. TrickBot attacks deploying Ryuk decreased significantly in early 2020.

Emotet -> Trickbot -> Ryuk: Emotet-based malware infections continued to deliver Trickbot and Ryuk until September 2020.

BazarLoader -> Ryuk: BazarLoader (AKA BazarBackdoor) is a first-stage malware that deploys a second-stage command-and-control (C2) payload to penetrate targets' networks looking for high-value assets to exfiltrate and encrypt. Attackers have been deploying Ryuk via BazarLoader since roughly mid-2020

Buerloader -> Ryuk: Buer (AKA RustyBuer) is a first-stage malware sold as a malware-as-a-service on the Dark Web that replaced the Emotet-based Ryuk infection chain in late 2020.

SilentNight -> Ryuk: SilentNight is a variant of Zeus/Zloader malware used to distribute Ryuk ransomware since 2020. 

For its primary duty of ransoming files, Ryuk selects either a 32- or 64-bit encryption module depending on the infected host and employs a combined AES-256 and RSA public key cryptographic scheme to encrypt a victim's files. Ryuk also deletes all backup files and volume shadow copies to prevent victims from recovering their files via Windows system functions. To ensure that victims can find the ransom note and contact the attackers to pay ransom, Ryuk avoids encrypting Windows system files and Internet browsers. Finally, Ryuk effectively conceals its activity and protects its payload from discovery and analysis by deleting its payload and artifacts after the encryption process is complete.

Signs of a Ryuk Attack

Ryuk leaves a ransom note with the filename RyukReadMe in either text or HTML format, which usually ends with the message "no system is safe" and contains two Protonmail or Tutanota contact email addresses. Files encrypted by Ryuk also have .RYK appended to the original filename.

Another potential indicator of a Ryuk infection is a Windows registry key pointing to the Ryuk executable named lan.exe or rep.exe, typically stored in either of the 'C:\users\Public\sys' or 'C:\Documents and Settings\Default User\sys' directories.

How to Prevent a Ryuk Attack

  • Consider user awareness training to educate personnel about phishing techniques and develop standard operating procedures (SOP) for handling suspicious emails and documents
  • Ensure that updates and security patches are applied across the entire IT environment, including security products, operating systems, and applications
  • Implement strong access controls based on the principle of least privilege and require multi-factor authentication (MFA) on all assets
  • Install and maintain fully updated intrusion detection and prevention (IDS/IPS) security appliances to detect abnormal network behavior
  • Implement modern Identity and Access Management (IAM) tools
  • Install and configure advanced Endpoint Security products on all endpoints to detect indicators of compromise (IOC) and take defensive action to block malicious files from executing
  • Use network security appliances such as IDS and next-gen firewalls and further harden a network and segment critical systems to a separate VLAN / Windows domain
  • Develop and maintain a robust backup strategy and incident response plans to ensure resilience against ransomware attacks
 CylanceOPTICS® provides on-device threat detection and remediation using artificial intelligence (AI) to prevent security incidents with root cause analysis, smart threat hunting, and automated detection and response capabilities. Our Endpoint Detection and Response (EDR) approach effectively eliminates response latency. It can be the difference between a minor security incident and a widespread, uncontrolled event.