Industry News

What is the Ryuk ransomware?

What is the Ryuk ransomware? A stylised cybersecurity image is presented

The Ryuk ransomware isn’t exactly new – it has been plaguing enterprise systems around the world since at least August 2018. However, considering how many businesses have been forced to digitalise their workflows due to the COVID-19 pandemic, Ryuk is more dangerous than ever.

Below, we will provide you with an overview of the Ryuk ransomware to let you know why it is such a vicious threat.

What Is The Ryuk Ransomware?

So what is the Ryuk ransomware?

As ransomware, Ryuk operates in a similar fashion to other ransomware families (e.g. REvil aka Sodinokibi) – it encrypts sensitive data, denying access to it until a ransom is paid. However, what sets the Ryuk ransomware apart is that it appears to primarily target cybersystems belonging to large enterprises.

The authors of Ryuk are extremely selective as to when and where the ransomware should be engaged. This is most likely done in order to identify high-profile targets that would be able to satisfy the hacker group’s exorbitant monetary demands.

How Does Ryuk Infect IT Systems?

Most commonly, Ryuk infiltrates computer systems via spam emails. The emails are sent from a spoofed address (that is, an email address that has been forged not to raise suspicion) and typically contain an infected Microsoft Office document or a link to such document.

When the malicious document is opened, the banking Trojan Emotet is downloaded onto the compromised machine. Emotet had been originally designed to steal sensitive banking information, but it has been improved to be able to perform spam and malware delivery.

Emotet then typically downloads and executes TrickBot – spyware that collects admin credentials to propagate to critical network assets. Ultimately, the attackers trigger Ryuk on these compromised assets.

However, infection by Emotet or TrickBot won’t necessarily lead to a Ryuk attack. The detection rate of Ryuk is substantially lower than that of Emotet or TrickBot. This most likely means that Ryuk infections aren’t a default mode of operation for Emotet or TrickBot.

Instead, as far as Ryuk is concerned, Emotet and TrickBot most likely perform reconnaissance and network mapping on infected systems.

Then, if the information on an enterprise’s IT system is deemed critical enough to incline the company to pay a large ransom in the event of a breach, the authors trigger the Ryuk ransomware.

Such an approach has led to a rather low Ryuk infection rate, hence the typically larger ransom demands.

Who Is Behind Ryuk?

It is unknown who has developed Ryuk – however, this ransomware shares many characteristics with Hermes, another ransomware family.

Ryuk and Hermes feature several chunks of identical code. Aside from that, Ryuk code has been discovered to refer to Hermes.

More specifically, Ryuk looks for the Hermes marker in files upon its launch. This likely means that Ryuk attempts to determine whether a file or system has been already compromised.

Additionally, both Ryuk and Hermes whitelist certain folder names, such as “Ahnlab”, which is the name of a South Korean security software solution.

Hermes was attributed to Lazarus – a group associated with suspected North Korean nation-state operations. The similarities between Hermes and Ryuk naturally led experts to believe that Ryuk had also originated from North Korea.

However, some experts suggest that the hackers behind Ryuk are spread across at least two cybercriminal organisations stationed in Russia and former Soviet states.

Why You Should Be Worried About The Ryuk Ransomware

The Ryuk ransomware poses a range of threats for organisations. Most remarkably:

  • Ryuk authors do not appear to target individual consumers and are instead focused on enterprises.
  • Ryuk is typically triggered in computer systems that are considered high-value by the attackers. This means that if your company is compromised, the hacker group may demand an astronomical ransom sum.
  • Ryuk is capable of identifying and encrypting network drives and deleting shadow copies stored on the endpoint. This may considerably complicate data recovery or even make it impossible, depending on your backup programme.
  • Ryuk can disable the System Restore function on Windows, preventing recovery without external backups.
  • If Emotet or TrickBot are not detected early, they may be able to better map your system. This could result in a more widespread attack and thus more massive data losses.

Who Has Been Affected By Ryuk?

Although Ryuk hasn’t been terribly active since its appearance, it has stripped a number of organisations of millions of dollars over the course of about 2 years. Here are some of the most prominent victims of the Ryuk ransomware:

  • Universal Health Services (UHS) hospitals, September 2020. Several UHS hospitals across the United States were attacked by Ryuk in September 2020. UHS did not find evidence of any data leaks.
  • Sopra Steria, October 20, 2020. AlthoughFrench-based IT outsourcer Sopra Steria was reportedly able to contain the ransomware and prevent data theft, financial losses due to this attack were estimated to be between €40 and €50 million.
  • Baltimore County school, November 2020. An extensive Ryuk attack disrupted online classes at Baltimore County School for several weeks. School officials haven’t said whether any data was stolen.

Within just two weeks after the ransomware’s emergence, the Ryuk group had made 640,000 USD in bitcoin. As of January 2021, the ransom payments earned by the hackers were estimated to be over 150 million USD.

How To Protect Your Organisation Against Ryuk?

Prevention is the best cure against Ryuk. Even if you do not pay the ransom (which would be the right course of action), delays caused by system recovery procedures could cost you millions, as shown by the example of Sopra Steria.

Among some of the things you may do to increase your defenses and mitigate against the consequences of an attack are:

  • Use up-to-date anti-malware software.
  • Ensure that your employees have strong credentials and multi-factor authentication.
  • Segment your enterprise network. In the event of a Ryuk attack, this would allow you to limit the spread of the malware and minimise its harm.
  • Back up critical data.

When it comes to data backups, we recommend that you maintain separate copies of data that span at least 2 weeks. Additionally, back up your data offline once a month.

As with all ransomware, we advise to never pay a ransom – you are dealing with unscrupulous thieves and there is no guarantee that you will see your files again, even if you do pay. In the event that you are affected, contact Computer One in the first instance.


Our Address


1300 667 871 or +61 7 3220 0352

Brisbane Office

Level 5, 488 Queen Street, Brisbane, QLD 4000

Sydney Office

Level 21, 133 Castlereigh Street, Sydney, NSW 2000

Melbourne Office

Level 28, 303 Collins Street, Melbourne, VIC 3000

Our Services

Industry Expertise