Ryuk is a type of ransomware that typically targets very large organizations. The group that operates Ryuk demands expensive ransoms from its victims.
After reading this article you will be able to:
Related Content
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
Ryuk is a type of ransomware* that attackers have used to extort money from businesses since 2018. The parties who operate Ryuk pursue bigger targets and charge heftier ransoms than most ransomware attackers. Ryuk attacks are unusual in that they involve considerable surveillance and manual effort to infect their targets. (For typical ransomware groups, putting so much effort into an attack renders it less cost-effective.)
The group allegedly behind most Ryuk ransomware attacks is called Wizard Spider. Wizard Spider also operates TrickBot, a malware trojan, which is a malicious file disguised as something benign.
*Ransomware is malicious software (malware) that locks up files and data, most often via encryption, and holds them for ransom. The attacker or group controlling the ransomware remotely unlocks the files once the victimized organization pays the ransom.
Most often, the Ryuk "virus" enters a network through a TrickBot infection. TrickBot can enter an organization in a number of ways. Spam email is one of the most common methods. TrickBot also spreads through the preexisting Emotet botnet, which uses malicious emails — specifically, Word document email attachments — to infect computers.
Once TrickBot infects a device, the Wizard Spider group can use it to install Ryuk ransomware. Ryuk then moves laterally within the network, infecting as many connected devices as it can without triggering security alerts.
Wizard Spider uses various techniques and exploits to spread the Ryuk infection within a network while remaining undetected. Sometimes this is a manual process — the group can remotely run malicious scripts in PowerShell (a utility in the Windows operating system) or exploit the Remote Desktop Protocol (RDP), among other methods.
Once Ryuk executes, it encrypts files and data on all infected computers, network drives, and network resources.
According to security company CrowdStrike, Ryuk uses the RSA-2048 and AES-256 algorithms to encrypt files. RSA is a public key encryption algorithm, meaning it generates a pair of keys for encrypting files and data: a public key and a private key. Wizard Spider holds the private key, preventing the victim from decrypting files on their own.
Unlike most ransomware, Ryuk actively tries to encrypt system files. As CrowdStrike observed, it has attempted to encrypt boot files, which would make the host system unstable or crash it altogether if it were rebooted.
Typically, the ransom note appears on an infected system as a text (.txt) file. Ryuk generates this file when it executes. The ransom note instructs victims how to contact the attackers and pay the ransom.
Wizard Spider usually requests payment in Bitcoin, often demanding ransoms worth $100,000 or more. One US city paid $460,000 as a ransom following a Ryuk attack.
In 2021, experts estimated that Wizard Spider had earned more than $150 million in ransom payments.
In 2018, Ryuk spread to several newspapers around the United States via infected Tribune Publishing software. The attacks disrupted newspaper printing for several days.
In 2020, Universal Health Services (UHS) had their IT infrastructure locked up by Ryuk ransomware. The organization's phone system and patient health records could not be accessed. It took about three weeks for UHS to restore their systems, and they estimated losses of $67 million due to the attack.
In addition to UHS hospitals, several other American hospitals were the victims of Ryuk ransomware attacks in 2020. The attacks encrypted critical data, disrupting treatments and delaying procedures for many patients.
Hermes is a different but related strain of ransomware that first came into use in 2017. Hermes is widely distributed in the ransomware underworld. Many attackers have used Hermes over the years, and it is not associated with a specific group.
Ryuk ransomware was largely based on Hermes. At first, Ryuk shared a lot of code with Hermes, but over time Wizard Spider has altered Ryuk further.
Even with these methods, there is no way to guarantee that a Ryuk ransomware attack will not take place, just as 100% prevention of any threat is not possible. However, these steps can vastly reduce the chances of an infection.
For help implementing a Zero Trust security model, turn to Cloudflare One. Cloudflare One is a secure access service edge (SASE) platform with widespread network connectivity and Zero Trust security built in.