+30 2106897383 info@tictaclabs.com


The nightmare called Ryuk

Who’s Ryuk?

Originally it was the name of a fictional character of the famous Japanese comics. Now it’s attributed to the most vicious ransomware.

It first appeared in August 2018 and turned the lights on when it shut down all Tribune Publishing newspapers during the Christmas 2018 holiday. It was originally thought to be a server cut off. But it soon became clear that it was a malware attack. The virus had been moving through the system for 14 months before the encryption began.

Huge ransom demanded

A recent update from the FBI revealed that more than 100 organizations around the world have been hit by Ryuk attacks since August 2018. The victims come from various industries, with the most common being logistics and technology companies, as well as small municipalities. In 2019, Ryuk attacked Lake City and Riviera Beach City,in Florida, reaping a $1 million ransom. In Indiana it has hit 7% of local government laptops, with the ransom reaching $130,000 in B.C. Again in 2019 it hit a Milwaukee-based cloud computing company, affecting more than 80,000 computers and servers. Ryuk infected the company’s Office 365 accounts and Ryuk administrators demanded a $14 million ransom.

The attackers were able to claim these huge sums because of a unique feature of the Ryuk code:

The ability to encrypt network and source drives, and at the same time delete shadow copies of the end user. This allows them to hibernate the Windows Restore option, making it impossible for users to recover from such an attack if they do not keep external backups.

Who’s behind Ryuk?

More generally, the researchers believe that Ryuk is the Hermes source code that is constantly evolving by its creators. Techniques constantly change, or  tools are added or removed.

The management team is the same group that hit entire banking systems via Trickbot. This is the Russian-sourced SPIDER WIZARD cybercrime team, which appears to be behind Ryuk. WIZARD SPIDER follows the method known as “big game hunting”.  It always targets large companies and organizations. Its administrators do not go into the process of targeting multiple computers or small businesses and asking for a plethora of low ransoms. They prefer large organizations and companies by drawing high amounts in the form of ransoms. That is why the amounts requested are ten times the average.

In particular, WIZARD SPIDER takes into account the size and organisational value of the company in order to reach the ransom demanded. The lowest ransoms requested were 1.7 BTC and the highest 99 BTC. Ryuk’s administrators have received about 705.80 BTC, with a current value of $3.7 million.

This data has been obtained from 52 transactions obtained from 37 BTC addresses. Specifically, Ryuk managed to hit the first two months of his presence at least three organizations taking $640,000 in ransom. Attacks with much higher ransoms followed.

What’s Ryuk’s profile?

Name RYUK Virus / RYUK Ransomware / Cryptor 2.0 Ransomware
Danger level Very High. Advanced Ransomware which makes system changes and encrypts files
Release date August, 2018
OS affected Microsoft Windows
Appended file extensions .ryk
Ransom note RyukReadMe.txt, ReadMe.txt, UNIQUE_ID_DO_NOT_REMOVE.txt or RyukReadMe.html
Contact email address MelisaPeterman@protonmail.com. MelisaPeterman@tutanota.com, CamdenScott@protonmail.com, eliasmarco@tutanota.com, gatiseri1988@protonmail.com

How does Ryuk infect?

The scary thing is, Ryuk may not be noticed for weeks or even months. Long before they attack, its administrators try to gather as much information as possible. In this way, the impact of the attack on the operation is even greater.

What is often observed is that Ryuk is diffused everywhere on a network, prioritizing high-value goals such as databases and web servers. Attackers adjust their attack to the architecture of the victim’s system and the level of access they can have.

The virus identifies the shared folders and deletes the virtual shadow copy. This means that hackers can simply ban the windows system restore option. Ryuk will occasionally use the Windows Management Instrumentation Command Line (wmic.exe) interpreter to delete all shadow copies.

Perhaps one of the most notable aspects of Ryuk, as well as his other two partners in crime, is the abuse of basic Windows processes. Indeed, it terminates the processes and stops the services contained in a predefined list. These processes and services are mainly anti-viruses tools, databases, backups and other software.

Ryuk adds the following record key so that it runs on each connection. It uses the following command to create a registry key:

“”C:\Windows\System32\cmd.exe” /C REG ADD “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “svchos” /t REG_SZ /d “C:\Users\Public\{random-5 char}.exe” /f”

After the encryption is complete, two files are created. One is open and contains an RSA public key, while the second is “UNIQUE_ID_DO_NOT_REMOVE” a unique hard code key.

Finally, Ryuk ends by displaying a ransom note in Internet Explorer that usually instructs the victim not to turn off his computer.

The triple threat method

Essentially, Ryuk acts as a secondary payload through the Emotet and TrickBot botnets.

The first stage of the attack begins with a Microsoft Office document attached to a phishing email. Once the user opens it, the malicious macro will run “cmd” and execute a “PowerShell” command. This command tries to download Emotet.

Once The Emotet runs, it retrieves and executes another malicious load – usually TrickBot – and collects information about the affected systems. TrickBot starts being downloaded and run by approaching and downloading from a preconfigured remote malicious host.

Once infected by the TrickBot, the threat factors then check if the system is part of a targeted domain. If so, they download an additional malicious load and use the administrative credentials stolen using TrickBot to side-approach the assets they wish to infect.

Threat agents then check and establish a connection to the target’s live servers through a remote desktop protocol (RDP). That’s where hackers drop Ryuk.

There was a time when Ryuk ransomware managed to wreak havoc on healthy systems. In fact, it is a multiple attack that uses the evil Emotet and Trickbot.

Its variants result in systems already infected with other malware. So we’re talking about the “triple threat” method.

Encrypted files display an extension . Ryk

Ryuk uses a combination of symmetric (through the use of AES) and asymmetric (through the use of RSA) encryption to encode files.

A private key, which only the attacker can offer, is necessary for proper file decryption.

Encrypted files will have the .ryk file extension attached to the file names. For example, an encrypted pdf and mp4 file will appear as follows sample.pdf.ryk and sample.mp4.ryk.

While Ryuk encrypts files on infected systems, he avoids files by extending .exe, .dll, and .hrmlog (a file type associated with Hermes). Ryuk also avoids encrypting files in the following folders:

  • AhnLab
  • Chrome
  • Microsoft
  • Mozilla
  • Recycle.bin
  • Windows

Note for ransom

Ryuk drops the ransom note, RyukReadMe.html or RyukReadMe.txt, into each folder where it has encrypted files. The HTML file contains two private email addresses that victims can use to communicate with attackers. The victim will use these addresses either to find out the amount of ransom demanded to access the encrypted files or to start the negotiation process.

On the other hand, the TXT ransom note contains (1) clear instructions for the reading and compliance of interested parties, (2) Two private email addresses that can be contacted and (3) a Bitcoin wallet address. Although email addresses may vary, note that all accounts are served in Protonmail or Tutanota.

On the other hand, ryuk administrators have happened to remove the Bitcoin address from the ransom note, informing the victim that it will be given as soon as the contact by email will take place.

There are two categories of ransom notes: one relatively polite similar to BitPaymer’s (due to specific expressions included) and one not.

Ransom Note Structure

The body of the note template is static, with the exception of the Bitcoin email address and wallet address (BTC), which can be changed. E-mail addresses, as mentioned above, usually contain one protonmail.com and another tutanota.com.

The most recent notes have removed the BTC wallet address and contain a PDB path: C:\Users\Admin\Documents\Visual Studio 2015\Projects\ConsoleApplication54new crypted try to clean\x64\Release\ConsoleApplication54.pdb.

How do I understand that I’m infected by Ryuk?

Some examples that indicate that you are infected with the virus are:

  • Many messages and notes tell you that your data has been encrypted
  • Your file extensions change to . Ryk
  • You may see changes to the wallpaper
  • CPU usage is 100% although you may only use some applications
  • Your operating system is running too slowly
  • The hard disk or network SSDs continue to work.
  • Antivirus does not seem to work.

Prevention v Ryuk

Falling victim to a Ryuk attack is extremely costly. However, in some cases, even paying the ransom is not enough to regain a company’s access to sensitive or valuable data. For this reason, it is much better to try to prevent a ransomware attack instead of reacting to it.

If Ryuk malware can be detected before encryption starts, the incident can be mitigated at minimal cost to the organization.The primary goal is to protect yourself from Emotet and TrickBot so you can understand how Ryuk behaves. If you can isolate these, then you might avoid Ryuk.

Companies and organizations should also regularly train employees to identify potential phishing emails that contain malware attachments. They must invest in malware and antivirus software to detect and prevent threats.

The main thing is that it is important to follow the 3-2-1 strategy of backups:

  1. Store at least three copies of data.
  2. Save two copies to different media.
  3. Keep a copy off site and offline.

Detection tips

A Ryuk attack can be devastating even for organisations well prepared. Restoring files from backups or purchasing the decryption key can recover the files.

The best defense is the existence of a detection plan and a level of automation to prevent malware and sneaking the sensitive infrastructure.

Security teams should look for the following:

  • Statistically rare or new binary systems that are more durable.
  • Changes in the security services.More specifically, Ryuk uses the microsoft net command tool (net.exe) to stop the security account administrator service (samss)
  • Binary executions from the public user profile (e.g.C :\Users\public\Ryuk.exe)
  • Excessive licenses granted at the root of network-connected drivers by the Microsoft Diagnostic Access Control List tool (icacls.exe)
  • Delete shadow copies through the Windows Management Instrumentation Command Line (wmic.exe) or the Volume Shadow Management Service (vssadmin.ex)

What can you do if you are a Ryuk victim?

In case you are eventually hit by Ryuk, you only have three options: You completely lose your data, pay the ransom, or restore corrupted files from backup files. However, payment can be just a waste of money, as hackers may not give you the decryption key. Restoring encrypted files from a backup is the only valid solution. Indeed, if you safely store your data, you can be sure that you can recover it in the event of an attack.

Backup has really proven effective against Ryuk: The Louisiana Office of Technology Services avoided paying the ransom in this way. However, retrieving files from a backup takes some time. This means that your business is losing money.

That’s why the best way to protect data is a combination of backup retention and a detection system.

Additional protection advice for Ryuk

  • To protect your business, you can turn off remote desktop on every computer on your network.Where you cannot remove the RDP, replace it with a secure third-party version that provides two-factor identification.
  • For each change to your network devices, you’ll need to follow two-factor identification. It is very important to impose a password management policy on your network.
  • In any case, employees should not click unverified links to spam messages or from an unknown website. Unsafe e-mail attachments should never be opened by unknown senders. It is also essential not to download any software or media files from unknown websites.
  • You should not provide personal information if you receive a call or e-mail message from an untrusted source
  • Do not use an e-mail server content scanning tool to find unverified e-mail messages and attachments
  • You should not use unknown USB
  • Always keep your system and antivirus software
  • When using Wi-Fi, use a VPN