ryuk-ransomware
Updated: January 08, 2021 3 Mins Reading

Ryuk Ransomware Origins, Attack Methods, and Notorious Victims

Key Takeaways

  • Wizard Spider, the Russia-based group behind Ryuk ransomware, received $460,000 as a ransom from a US city. In total, the group earned more than $150 million in 2021. (Cloudflare)
  • Ryuk is responsible for around 33% of all ransomware attacks in 2020. (Sonicwall Research)

Introduction

Ransomware continues to impact SMBs (small and medium businesses) across multiple industries. Ryuk has affected organizations that have historically faced higher-than-average ransom demands. Therefore, it is important to understand Ryuk ransomware, its origins, and how it operates.

What is Ryuk Ransomware and Its Origin?

Ryuk is a strain of ransomware specifically designed to target large organizations and demand very high ransoms. Its name comes from the anime and manga series “Death Note,” where Ryuk is the Demon of Death. Ryuk is operated by a Russia-based criminal group called “Wizard Spider.” Ryuk was developed from the source code of ‘Hermes’, which is continually updated to enhance its effectiveness. It first appeared in August 2018, targeting multiple organizations and generating ransom payments estimated at around $600,000. Since its emergence, it has generated millions of dollars in ransom payments.

Ryuk Ransomware Evolution and Operational Characteristics

How Ryuk Gains Initial Access

Ryuk commonly gains initial access through RDP compromise, phishing, or stolen credentials. Attackers commonly use brute-force attacks against exposed or poorly secured RDP services. Stolen RDP credentials are widely available on underground marketplaces at low cost, making these attacks easy to execute. Ryuk is typically used in targeted, human-operated attacks.

Ryuk Ransomware Characteristics and Operational Approach

How Ryuk Ransomware Works

Ryuk is typically deployed after initial access is established, often using malware such as Emotet or TrickBot in earlier campaigns. Emotet initiates infection and spreads across the network while delivering additional payloads to expand access. Emotet often delivers TrickBot, which steals credentials and enables lateral movement across the network. TrickBot ultimately deploys the Ryuk payload to encrypt systems and restrict access to critical resources. Ryuk is commonly deployed through TrickBot or similar post-exploitation activity after access is established.

What Happens Before Encryption

Ryuk ransomware does not begin encrypting data immediately after gaining network access. Attackers spend time moving across systems using valid credentials. They also use built-in tools such as PowerShell, WMI, and administrative utilities for movement and control.

Their objective is to expand access and identify critical systems. They also look for backup systems and try to disable or delete them to prevent recovery. This activity blends into normal operations because it uses legitimate access and expected system behavior.

Since there is no immediate disruption, this stage is difficult to detect. By the time encryption begins, access has already been established across multiple systems.

what happens after detection matters
what happens after detection matters

Notable Ryuk Ransomware Incidents

Tribune Publishing: Dec 2018. Ryuk disrupted publishing and delivery at several major US newspapers whose printing centers were operated by Tribune Publishing. Many print editions, like the Chicago Tribune, Lake County News-Sun, and Post-Tribune, were published without classified and death notices.

According to The Hacker News, two cities in Florida paid approximately $1.1 million in ransom in the summer of 2019. Riviera Beach and Lake City each paid $600,000. The city of Riviera Beach was severely affected, disrupting essential services such as 911 and the water supply.

Emcor: In March 2020, a Fortune 500 organization specializing in mechanical and electrical construction services also became a victim of Ryuk ransomware. It had to shut down its IT infrastructure to respond to the attack. Although full details of the attack are not public, the ransomware message remained visible on the company website for nearly three weeks.

Durham, North Carolina: In March 2020, around 1,000 of Durham County's computers were hacked after one of the county's employees clicked on an infected email. With a proper backup system in place, the county avoided major financial and reputational losses, but significant time and effort were required to restore systems.

Conclusion

Ryuk attacks show that ransomware operations are not limited to executing malware. These attacks begin with access and then expand across systems. Activity appears normal on the surface, and there is no visible impact on the environment until encryption begins. By that point, ransomware has already established control over systems and tools.

This is where the gap exists. SafeAeon focuses on this stage where activity is still in progress. This helps limit ransomware activity before it reaches execution, reducing the overall impact.

Close Detection Gaps Before Attackers Exploit Them

Improve detection and response across endpoint, network, and cloud with 24×7 managed security operations.

Summarize this post

Frequently Asked Questions About Ryuk Ransomware

Clear answers to common questions security leaders and teams regularly ask.

Ryuk is a targeted ransomware strain used in human-operated attacks. This ransomware is deployed once attackers successfully gain access to systems and move across the network. It is deployed just before the encryption stage.
Ryuk attacks can begin through compromised RDP access or stolen credentials. Phishing emails are also used in some cases, but attackers usually gain access through existing access paths rather than exploiting new vulnerabilities.
After initial access, attackers use valid credentials and built-in tools to move laterally inside a network. In earlier campaigns, attackers have used malware like Emotet and TrickBot to expand their access across systems.
Most activity before encryption appears normal. Attackers use legitimate tools and valid access to remain undetected. Since alerts are often not clearly correlated, security teams may not recognize the activity as malicious occurring within the environment. Detection usually happens after the impact has already begun.
The risk of Ryuk attacks can be reduced by limiting exposed access points and monitoring identity activity. Teams must be able to identify abnormal behavior early in order to stop activity before it reaches execution.

Discover More Blogs