The Ryuk Ransomware

Ryuk Ransomware

Ryuk ransomware is a malicious malware that specifically targets enterprise environments for a large bitcoin payment. GRIM SPIDER was the group behind the ransomware, targeting medium to large corporations since August 2018. According to LIFARS incident responders, the average ransom demand can range from 1 million to 8 million dollars. Ryuk ransomware attacks target large corporations for monetary gain in the form of bitcoin as payment. Bitcoin is a payment strategy for ransom demands since it cannot be traced or relegated. This helps the attackers stay anonymous.  

Attack vectors initiate either through Remote Desktop Protocol (RDP) or phishing emails. RDP is when an individual accesses the company’s network from a remote location. Phishing is when an individual receives a fake email from the hacker, which allows the hacker to steal the recipient’s data and information. RDP is a target vector because most organizations do not secure their ports. Phishing emails are also targeted because of the trust users place in the credibility of emails.  

Sequence of attack:

  1. To gain initial access, the attacker can either go through the RDP or implement phishing tactics. 
  2. Once accessed, the attacker uses Trickbot, Mimikatze and other software to acquire credentials of employees higher up in the company.  
  3. This allows attackers to survey the network and locate valuable information for a large ransom. That is because the targeted information is needed for the company to function. 
  4. Then, the attackers use PsExec to add a batch script to all targeted machines. Following this, PsExec is used to copy the Ryuk binary onto the Root directory of the targeted machines. Thus, creating a new service to launch the Ryuk binary and start the attack. 
  5. This starts the process for Ryuk to encrypt files on infected machines, which then displays the ransom note from the attacker. 

Image Credits: MalwareBytes Labs

In response to the high frequency of Ryuk ransomware attacks, a decryptor tool was created, called Ryuk Ransomware Decryptor. LIFARS has gained control over the decryptor. The Ryuk Ransomware Decryptor is used in response to incidents where a computer is encrypted by Ryuk Ransomware. This allows victims to use the decryptor tool instead paying the attacker to decrypt the targeted information. LIFARS has responded to Ryuk Ransomware incidents, where LIFARS was able to use the Ryuk Ransomware Decryptor tool to decrypt and recover the data for the client.


Contact LIFARS if your organization was hit with a Ransomware attack.

Watch How RYUK Ransomware Takes Control Over Computer Files in a Matter of Seconds: