What is Ryuk Ransomware and How It Works?

What is Ryuk Ransomware?

Ryuk specializes in targeting public Microsoft Windows systems, encrypting data, and demanding untraceable Bitcoin ransoms for the data’s release. Though initially thought to be of North Korean origin, Ryuk is now believed to be the work of two or more Russian criminal groups (Wizard Spider or Grim Spider), who are solely interested in extorting organizations for monetary gain. Ryuk first appeared in 2018 and has become notorious for its relentless pursuit of high ransom payments. Attacks using Ryuk have been known to affect businesses, governments, hospitals, and schools. Essentially, any organization with critical digital assets is a potential victim of Ryuk ransomware.

What is Unique About Ryuk Ransomware?

Unlike many other common strains of ransomware, which are generally distributed systematically via huge spam campaigns, Ryuk is tailored and targeted for specific organizations. Of the organizations that have been hit so far, it seems as though the attackers are targeting organizations where they can cause the biggest disruption, such as hospitals, ports, and now major news corporations. The way Ryuk is built means that it is also perfectly designed for very small-scale operations as it will only encrypt the assets most critical to the targeted organization. This is because the infection and distribution of the ransomware are carried out manually. Although Ryuk has many unique features, analysis shows that it shares some code similarities with Hermes, a ransomware strain from the North Korean hacker group Lazarus. The Ryuk group also uses a credential theft Trojan called TrickBot, to infect victims.

How Does Ryuk ransomware Work?

Phishing emails are often the starting point for Ryuk ransomware attacks, with attackers specifically targeting individuals with access to enterprise-level systems for large payouts. Hackers survey high-value targets before sending seemingly harmless emails with malicious links, which, when opened, unleash Trojan malware that allows them to take over the victim’s machine. Once Ryuk has been deployed it will encrypt the victim’s files and system access, with no option for Windows System Restore.

The typical sequence of events in a Ryuk ransomware attack includes:

• Phishing: The attack begins with a phishing email that delivers malware to an unsuspecting user. Ryuk is embedded in a seemingly legitimate document or attachment, and it activates when the user opens it.
• TrickBot: Once Ryuk is deployed, the TrickBot script is activated. This tool is designed to collect passwords and gain privileged access to higher levels of the system and network.
• Lateral movement: Using TrickBot, the attackers move laterally through the system and network, targeting sensitive data.
• Ransom: When Ryuk has gained access to critical systems, it delivers a ransom demand to the victim, along with payment instructions. If the ransom is not paid, the attackers may delete or hold the victim’s data hostage indefinitely.

How to Detect and Prevent a Ryuk Attack

As with other forms of ransomware, identifying a Ryuk attack can be challenging since it is typically disguised in phishing emails. As a starting point, you should use anti-malware software with real-time threat detection and response capabilities, including features that shield vulnerable programs and use “rollback technology” to restore systems to their previous state.

In addition to the above, there are tools and measures that can help you detect and prevent a Ryuk attack, which include;

YARA rules: YARA rules are used to identify and classify malware based on binary or textual patterns of different malware families. If your organization has YARA installed, and has specific YARA rules for the Ryuk code, you will receive an alert immediately after infection.

Virus detection with Autoruns and Virus Total: The Microsoft Autoruns tool can notify users of potential malware (including Ryuk) when logging into their account or booting up their system. The tool displays a “Virus Total” score to indicate the likelihood of a particular program being a virus.

Threshold alerting: Some sophisticated real-time threat detection solutions allow you to configure alerts for events that match a pre-defined threshold condition. In the case of ransomware, this would be when a certain number of files are encrypted within a given time frame. If the threshold condition is met, a custom script can be executed to prevent the attack from spreading. This might include disabling accounts and processes, changing the firewall settings, or simply shutting down the affected server(s).

Zero Trust: Zero trust is a security model that can help to reduce the impact of ransomware attacks by limiting access to necessary resources and monitoring for illicit activity. This can help to reduce lateral movement and thus minimize the ‘blast radius’ of a Ryuk attack.

Off-site backups: Create secure backups of your data on a regular basis using high-level encryption and multi-factor authentication for cloud storage or physical devices stored in a secure location.

Patch management: Update systems regularly and enable auto-update settings on all key systems and software to avoid vulnerabilities in outdated versions.

Security awareness training: Regularly train employees to spot and report potential Ryuk phishing efforts.

If you do fall victim to a Ryuk ransomware attack, you should avoid paying the ransom at all costs. Instead, contact law enforcement organizations like the FBI, as Ryuk ransomware attacks can threaten national security and vital infrastructures such as healthcare and defense. Collaboration with law enforcement should be a mandatory step in creating a response plan for Ryuk ransomware.

If you’d like to see how the Lepide Data Security Platform can help you detect and respond to ransomware attacks, schedule a demo with one of our engineers or start your free trial today.