What is The Ryuk Ransomware

What is The Ryuk Ransomware

Ransomware is a malware attack which takes over a user’s computer and threatens harm, if a payment is not made. Usually, the attackers withhold important files, data, and access to systems. The attacker then demands that a ransom be paid for the user to obtain access again. However, many times even when a payment is made, the malware remains on the computer. There are many variations of ransomware attacking users today. One such version is the Ryuk Ransomware, which made its debut last year.

What is Ryuk Ransomware?

The Ryuk ransomware has been a nuisance since August 2018 targeting medium to large sized organizations. Ryuk specifically targets enterprise environments and can infect multiple computers at once. Further, organizations using RDP are at higher risk of being targeted by the Ryuk ransomware.

The ransomware has affected major newspapers like the Wall Street Journal, the New York Times, and the Capital Gazette. First hitting just three organizations during the first months of its debut, Ryuk has become widespread in 2019.

Ransom Demands

During the first few months of its debut, attackers made 705.80 BTC or $3,701,89.98 USD. The highest payment costs were in February 2019, when attackers demanded an average of $311,919 USD. Most demands are an average between $500 and $1500. Ryuk demands a higher ransom than average malware in today’s market because it specifically aims to attack certain organizations and their critical assets. Any mid to large sized organization that has the capacity to pay the large sums is at risk.

Attack Vectors

Most Ryuk attacks are penetrated using phishing tactics and Remote Desktop Protocol (RDP) access. RDP is used by employees or third parties to access systems remotely. The ransomware take advantage of inadequately configurated RDP ports. Attackers are able to either brute force RDP sessions or buy RDP credentials on the dark web to get in for as little as $3.

Attackers can also use phishing emails to coerce victims into clicking and downloading exploit kits in the background. Trickbot and Emotet exploit kits are commonly used in these attackers to gain greater access to the network. For every attack, ransomware distributed change their email. Distributors, most often use Gmail and AOL email services or encrypted email services like ProtonMail and Tutanoto.

How Does Ryuk Ransomware Encrypt the System?

When the Ryuk Ransomware attacks the system, it encrypts nearly all the stored data, making it unavailable to users. Encryption is done using RSA-4096 and AES-256 encryption algorithms. Additionally, a three-tier trust encryption model is used to encrypt files. In the first tier, the private key is held by the attacker. This key is needed to decrypt the files and is held until the ransom is paid. In the second tier, a unique keypair is generated for the victim; the Ryuk ransomware comes with the keypair pre-installed. In the third tier, each file is encrypted with a AES symmetric encryption key using the Win32API function CryptGenKey.

Once files are encrypted, they are given the ‘.ryk’ or ‘.rcrypted’ extension. However, there is one version of Ryuk which does not rename any extensions to encrypted files. Instead, a text file is created, ‘RyukReadMe.txt’ and placed in every folder. This text files contains the ransom message, which is quite lengthy. The message explains the events that have taken place and tries to intimidate the victim by telling them to call the IT team. The message further states that there is no decryption method and that usual methods of recovery will not work. Additionally, the note states that the only decryption method is a payment that should be paid.


To restore data encrypted in a Ryuk ransomware attack, unique keys are needed to decrypt the files. Although, it may seem like paying the ransom outweighs the value of the data being held ransom, it is not recommended. Most times, Ransomware developers will not decrypt files when they have been paid. Instead, they can ask for greater sums of money. Therefore, it is critical that the ransom is not paid.

First, it is important to identify what type of malware your organization has been attacked with. In most cases, the Ryuk ransomware will install a text file in every folder with the ransom message. At the end of the message, the ransomware developers identify what type of ransomware has attacked the organization. Further, all encrypted files will have the ‘.ryk’ extension.

Once the ransomware has been identified, that ransom should not be paid. It is important to note, that free decryption tools and commercial software for the Ryuk ransomware do not exist at this time. Any machine that has been encrypted should be reformatted to ensure the ransomware and any other malware executable is removed from the machine. Backups of files should be used to restore data.


For further information and assistance on removing Ryuk ransomware contact LIFARS today.

Watch How RYUK Ransomware Takes Control Over Computer Files in a Matter of Seconds: