What is Ryuk ransomware?

Ryuk is a type of ransomware that typically targets very large organizations. The group that operates Ryuk demands expensive ransoms from its victims.

Learning Objectives

After reading this article you will be able to:

  • Describe how Ryuk ransomware works
  • Understand how the group behind Ryuk operates
  • List some of the major Ryuk ransomware attacks

Related Content

Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is Ryuk ransomware?

Ryuk is a type of ransomware* that attackers have used to extort money from businesses since 2018. The parties who operate Ryuk pursue bigger targets and charge heftier ransoms than most ransomware attackers. Ryuk attacks are unusual in that they involve considerable surveillance and manual effort to infect their targets. (For typical ransomware groups, putting so much effort into an attack renders it less cost-effective.)

The group allegedly behind most Ryuk ransomware attacks is called Wizard Spider. Wizard Spider also operates TrickBot, a malware trojan, which is a malicious file disguised as something benign.

*Ransomware is malicious software (malware) that locks up files and data, most often via encryption, and holds them for ransom. The attacker or group controlling the ransomware remotely unlocks the files once the victimized organization pays the ransom.

How does Ryuk ransomware enter an organization?

Most often, the Ryuk "virus" enters a network through a TrickBot infection. TrickBot can enter an organization in a number of ways. Spam email is one of the most common methods. TrickBot also spreads through the preexisting Emotet botnet, which uses malicious emails — specifically, Word document email attachments — to infect computers.

Once TrickBot infects a device, the Wizard Spider group can use it to install Ryuk ransomware. Ryuk then moves laterally within the network, infecting as many connected devices as it can without triggering security alerts.

Wizard Spider uses various techniques and exploits to spread the Ryuk infection within a network while remaining undetected. Sometimes this is a manual process — the group can remotely run malicious scripts in PowerShell (a utility in the Windows operating system) or exploit the Remote Desktop Protocol (RDP), among other methods.

How does Ryuk ransomware work?

Once Ryuk executes, it encrypts files and data on all infected computers, network drives, and network resources.

According to security company CrowdStrike, Ryuk uses the RSA-2048 and AES-256 algorithms to encrypt files. RSA is a public key encryption algorithm, meaning it generates a pair of keys for encrypting files and data: a public key and a private key. Wizard Spider holds the private key, preventing the victim from decrypting files on their own.

Unlike most ransomware, Ryuk actively tries to encrypt system files. As CrowdStrike observed, it has attempted to encrypt boot files, which would make the host system unstable or crash it altogether if it were rebooted.

Typically, the ransom note appears on an infected system as a text (.txt) file. Ryuk generates this file when it executes. The ransom note instructs victims how to contact the attackers and pay the ransom.

Ryuk ransom payments

Wizard Spider usually requests payment in Bitcoin, often demanding ransoms worth $100,000 or more. One US city paid $460,000 as a ransom following a Ryuk attack.

In 2021, experts estimated that Wizard Spider had earned more than $150 million in ransom payments.

What are some major Ryuk ransomware attacks?

Tribune Publishing attack

In 2018, Ryuk spread to several newspapers around the United States via infected Tribune Publishing software. The attacks disrupted newspaper printing for several days.

The Universal Health Services (UHS) infection

In 2020, Universal Health Services (UHS) had their IT infrastructure locked up by Ryuk ransomware. The organization's phone system and patient health records could not be accessed. It took about three weeks for UHS to restore their systems, and they estimated losses of $67 million due to the attack.

2020 attacks on American hospitals

In addition to UHS hospitals, several other American hospitals were the victims of Ryuk ransomware attacks in 2020. The attacks encrypted critical data, disrupting treatments and delaying procedures for many patients.

How does Ryuk ransomware relate to Hermes ransomware?

Hermes is a different but related strain of ransomware that first came into use in 2017. Hermes is widely distributed in the ransomware underworld. Many attackers have used Hermes over the years, and it is not associated with a specific group.

Ryuk ransomware was largely based on Hermes. At first, Ryuk shared a lot of code with Hermes, but over time Wizard Spider has altered Ryuk further.

How to prevent a Ryuk ransomware infection

  • Train users to avoid opening unexpected emails and email attachments: Most malware infections occur because of user error, and Ryuk is no exception. While the Wizard Spider group often can spread Ryuk within an organization on their own, the initial infection usually starts because a user opened or downloaded a malicious email attachment, resulting in a TrickBot or Emotet infection. User security training can reduce the chances of this happening.
  • Analyze systems for preexisting infections: Many Ryuk attacks take place because a network is already infected with TrickBot or Emotet malware. Anti-malware scanning — an important endpoint security practice — can help detect these infections and enable network admins to isolate infected devices.
  • Use a Zero Trust security model: In a Zero Trust network, no computing devices are trusted by default, and devices continually have to be re-verified. This approach restricts access for infected devices, preventing network compromise.
  • Regularly back up files and data: In some cases, an organization can restore their data from a backup instead of paying the ransom or reconstructing their entire IT infrastructure.

Even with these methods, there is no way to guarantee that a Ryuk ransomware attack will not take place, just as 100% prevention of any threat is not possible. However, these steps can vastly reduce the chances of an infection.

For help implementing a Zero Trust security model, turn to Cloudflare One. Cloudflare One is a secure access service edge (SASE) platform with widespread network connectivity and Zero Trust security built in.