Home Blog What is Ryuk Ransomware?

What is Ryuk Ransomware?

October 20, 2021
hacker coding ransomware

The modern world increasingly relies on the sharing of sensitive data to operate, and the security of that data is paramount to a functional society. Unfortunately, as with many digital interactions, there’s a group that’s trying to take advantage of its weaknesses: ransomware attackers. These attackers threaten to disrupt the systems we rely on so heavily, thus undermining security efforts and leaving the public distrustful of organizations that process our data.

While ransomware has been around for a couple decades, the tools, objectives, and groups associated with it have evolved substantially in the past few years. Ransomware attacks have become the bane of modern cybersecurity, and few are as insidious as Ryuk, a malware infection impacting governments and businesses globally.

Read on to uncover the history, methods, and notable attacks with Ryuk ransomware, including how you can keep your or someone else’s valuable data out of its clutches.

So, What is Ryuk?

Ryuk refers to a type of hacking software designed to execute ransomware attacks. A hacker breaks into a computer system, steals or encrypts data, and demands a ransom for its return. Ryuk ransomware is used primarily by a collection of hackers known as the Ryuk gang or Ryuk criminal group, with various aliases including Wizard Spider and Grim Spider.

In addition to its creators, the Ryuk software and techniques may also be used by one or more other criminal groups. Ryuk hackers have carried out some of the most sophisticated and damaging ransomware attacks of recent years, specifically targeting high-profile organizations and demanding excessively large payouts.1

A Brief History of Ryuk Ransomware

Ryuk is appropriately named after a demon character from the Japanese manga series Death Note. In the series, Ryuk is known for introducing death and havoc to the world as a result of his boredom.2 Ryuk ransomware was first spotted in August of 2018 and discovered to be a variant of the earlier Hermes ransomware. Initially thought to be of North Korean origin, cybersecurity firms now believe it was created by a Russian criminal cartel.3

After a successful attack on Tribune Publishing software that affected the publication of the Los Angeles Times and other major U.S. newspapers, the FBI officially identified Ryuk as a serious threat. Throughout 2019 and 2020, several more high-profile attacks were orchestrated on hospitals, schools, and public services in the U.S., UK, and Germany.4

Notable Ryuk Attacks

The most significant example of ongoing Ryuk incidents is the infiltration of at least 235 general hospitals and inpatient psychiatric facilities across the U.S. since 2018. The ruthless attacks have cost victims upward of $100 million, with plea bargains and negotiations falling on deaf ears.5

In February 2020, the Fortune 500 company EMCOR Group was hit by a Ryuk attack, forcing the company to shut down servers and halt operations. Although IT staff believe they were able to contain the attack before any data was stolen or encrypted, the disruption alone would have cost the company hundreds of thousands of dollars.6

Around the same time, a Department of Defense (DoD) contractor, Electronic Warfare Associates (EWA), was hit by a more successful attack. In this instance, files were encrypted and ransom notes were left before the firm managed to take down the impacted servers. It's unclear if any data was compromised, but at the time, an EWA spokesman said the company had no intention of paying the ransom.7

Several more Ryuk-related ransomware incidents occurred throughout 2020, with the month of October suffering the highest rate of attacks.8 Most recently, Ryuk attackers exploited a flaw in Microsoft's MSHTML code in order to create malicious Microsoft Office documents. The exploit, now patched by Microsoft, used ActiveX controls hidden in Office documents to install malware and gain access to systems.9

What Makes Ryuk Ransomware So Effective?

Ryuk attacks have succeeded in becoming one of the most feared ransomware events of our time, due to both the strength of the malware and the ruthlessness of its operators. It's commonly used in conjunction with TrickBot, a phishing tool that Ryuk attackers use to surreptitiously gain access to a network.1

Researchers have found that hackers take, on average, less than two hours to break into a network. After that time, it becomes increasingly difficult to stop the attack and mitigate further damage.10 Once inside, hackers use frameworks such as Cobalt Strike and PowerShell to avoid detection while moving deeper into the network. Other hacking tools like LaZagne can be used to steal credentials and gain access to Domain Controllers, giving hackers control over the entire system.1

Unlike other well-known ransomware variations such as WannaCry and NotPetya, Ryuk is particularly dangerous because of how hard it is to detect. Ryuk intruders can often spend weeks or even months doing reconnaissance inside a network while remaining undetected, allowing them to collect treasure troves of data and embed further malware into the system.11

How to Protect Your Business from a Ryuk Attack

In almost all cases, Ryuk requires a user to inadvertently install the software via a link or hidden code in an email or file. For this reason, cybersecurity staff should take measures to protect their organizations from Ryuk by training staff to remain vigilant at all times.

Here are some tips to stay safe:12

  • Don't trust, verify – Teach staff to always double-check the details of an email, even if it comes from within the organization. If anything seems remotely suspicious, they should ask the IT department to verify the email's authenticity.
  • Use strict access controls – IT teams should ensure that all systems are locked down and access is only granted when and where it's absolutely necessary.
  • Keep multiple backups – Ensure sensitive data is backed up to various different locations in more than one format, with at least one backup kept off-site.
  • Enact regular updates and patches – All systems must have the most recent updates and patches. All it takes is one network-connected device to miss a patch and the entire system becomes compromised.

Gain the Skills to Guard Our Online Future

If you think you have what it takes to help ward off ransomware attackers, consider an Online Masters of Science in Cybersecurity from the Katz School of Science and Health. You’ll learn the latest in ethical hacking tools, study under renowned security experts, and qualify for critical industry certifications. With the technical skills to excel and the interpersonal skills to lead, you’ll be ready to step into a leadership role in a rapidly growing and evolving field.

  1. Retrieved on October 4, 2021, from csoonline.com/article/3541810/ryuk-ransomware-explained-a-targeted-devastatingly-effective-attack.html
  2. Retrieved on October 4, 2021, from deathnote.fandom.com/wiki/Ryuk
  3. Retrieved on October 4, 2021, from forbes.com/sites/thomasbrewster/2019/02/20/mistaken-for-north-koreans-the-ryuk-ransomware-hackers-are-making-millions/
  4. Retrieved on October 4, 2021, from trendmicro.com/en_us/what-is/ransomware/ryuk-ransomware.html
  5. Retrieved on October 4, 2021, from beckershospitalreview.com/cybersecurity/meet-the-ransomware-gang-behind-235-attacks-on-us-hospitals-7-things-to-know.html
  6. Retrieved on October 4, 2021, from cybersecurity-insiders.com/ryuk-ransomware-attack-on-emcor-group/
  7. Retrieved on October 4, 2021, from zdnet.com/article/dod-contractor-suffers-ransomware-infection/
  8. Retrieved on October 4, 2021, from blackfog.com/the-state-of-ransomware-in-2020/
  9. Retrieved on October 4, 2021, from threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/
  10. Retrieved on October 4, 2021, from crowdstrike.com/cybersecurity-101/lateral-movement/
  11. Retrieved on October 4, 2021, from acronis.com/en-gb/articles/ransomware-attacks/
  12. Retrieved on October 4, 2021, from phishinsight.trendmicro.com/?v2