Key Takeaways
- Wizard Spider, the Russia-based group behind Ryuk ransomware, received $460,000 as a ransom from a US city. In total, the group earned more than $150 million in 2021. (Cloudflare)
- Ryuk is responsible for around 33% of all ransomware attacks in 2020. (Sonicwall Research)
Introduction
Ransomware continues to impact SMBs (small and medium businesses) across multiple industries. Ryuk has affected organizations that have historically faced higher-than-average ransom demands. Therefore, it is important to understand Ryuk ransomware, its origins, and how it operates.
What is Ryuk Ransomware and Its Origin?
Ryuk is a strain of ransomware specifically designed to target large organizations and demand very high ransoms. Its name comes from the anime and manga series “Death Note,” where Ryuk is the Demon of Death. Ryuk is operated by a Russia-based criminal group called “Wizard Spider.” Ryuk was developed from the source code of ‘Hermes’, which is continually updated to enhance its effectiveness. It first appeared in August 2018, targeting multiple organizations and generating ransom payments estimated at around $600,000. Since its emergence, it has generated millions of dollars in ransom payments.
How Ryuk Gains Initial Access
Ryuk commonly gains initial access through RDP compromise, phishing, or stolen credentials. Attackers commonly use brute-force attacks against exposed or poorly secured RDP services. Stolen RDP credentials are widely available on underground marketplaces at low cost, making these attacks easy to execute. Ryuk is typically used in targeted, human-operated attacks.
How Ryuk Ransomware Works
Ryuk is typically deployed after initial access is established, often using malware such as Emotet or TrickBot in earlier campaigns. Emotet initiates infection and spreads across the network while delivering additional payloads to expand access. Emotet often delivers TrickBot, which steals credentials and enables lateral movement across the network. TrickBot ultimately deploys the Ryuk payload to encrypt systems and restrict access to critical resources. Ryuk is commonly deployed through TrickBot or similar post-exploitation activity after access is established.
What Happens Before Encryption
Ryuk ransomware does not begin encrypting data immediately after gaining network access. Attackers spend time moving across systems using valid credentials. They also use built-in tools such as PowerShell, WMI, and administrative utilities for movement and control.
Their objective is to expand access and identify critical systems. They also look for backup systems and try to disable or delete them to prevent recovery. This activity blends into normal operations because it uses legitimate access and expected system behavior.
Since there is no immediate disruption, this stage is difficult to detect. By the time encryption begins, access has already been established across multiple systems.
Notable Ryuk Ransomware Incidents
Tribune Publishing: Dec 2018. Ryuk disrupted publishing and delivery at several major US newspapers whose printing centers were operated by Tribune Publishing. Many print editions, like the Chicago Tribune, Lake County News-Sun, and Post-Tribune, were published without classified and death notices.
According to The Hacker News, two cities in Florida paid approximately $1.1 million in ransom in the summer of 2019. Riviera Beach and Lake City each paid $600,000. The city of Riviera Beach was severely affected, disrupting essential services such as 911 and the water supply.
Emcor: In March 2020, a Fortune 500 organization specializing in mechanical and electrical construction services also became a victim of Ryuk ransomware. It had to shut down its IT infrastructure to respond to the attack. Although full details of the attack are not public, the ransomware message remained visible on the company website for nearly three weeks.
Durham, North Carolina: In March 2020, around 1,000 of Durham County's computers were hacked after one of the county's employees clicked on an infected email. With a proper backup system in place, the county avoided major financial and reputational losses, but significant time and effort were required to restore systems.
Conclusion
Ryuk attacks show that ransomware operations are not limited to executing malware. These attacks begin with access and then expand across systems. Activity appears normal on the surface, and there is no visible impact on the environment until encryption begins. By that point, ransomware has already established control over systems and tools.
This is where the gap exists. SafeAeon focuses on this stage where activity is still in progress. This helps limit ransomware activity before it reaches execution, reducing the overall impact.