What is Ryuk Ransomware and How Does it Work?

Ryuk is a type of ransomware that encrypts files on an infected system, with ransom typically demanded in bitcoin or other types of cryptocurrency. Ryuk has targeted many large organizations using Microsoft Windows and related systems.

First spotted in August 2018, it was initially thought to be a group that operates out of North Korea, but now is believed to have been developed by Russian hackers. With rising ransomware and phishing attacks becoming significant threats, 66% of SMBs report that they are concerned or extremely concerned — as we all should be.

What is unique about Ryuk ransomware?

Ryuk is unique in that it is, as Microsoft defines it, a human-operated ransomware attack. The attackers use highly sophisticated targeting and stealth tactics to ensure a high rate of success.

Being human-operated means that attackers execute multi-level attacks against company networks. It starts with carefully selecting targets rather than adopting an automated, “spray and pray” approach, and requires both broad and specific knowledge of target infrastructure in order to succeed.

It then relies on tools such as Mimikatz to steal user credentials, after which the likes of PowerShell Empire are leveraged to perform reconnaissance and move laterally across the environment, finally perpetrating privilege escalation through Domain Administrator. This isn’t a quick in-and-out. This is a prolonged, ongoing attack that has real people active inside the network, gathering data.

The attackers generally choose their targets carefully, going for large organizations rather than individuals. This has not only launched the Ryuk ransomware into the headlines but also netted the operators of the ransomware millions of dollars in ransom payments.

Famous Ryuk attacks in the news

Ryuk attack victims reportedly include large organizations, local governments, hospitals, and more. For example:

  • The Department of Social Services
  • Tribune Publishing including the Los Angeles Times, Chicago Tribune, Wall Street Journal, and the New York Times
  • Boston’s Committee for Public Counsel Services
  • Jackson County, Georgia, (paid a $400,000 ransom)
  • Riviera Beach, Florida (paid $594,000 ransom)
  • LaPorte County, Indiana (paid $130,000 ransom)

How is Ryuk delivered?

Like many other strains, Ryuk ransomware attacks are primarily delivered via a phishing email. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Ryuk is spread by “phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware.

In a nutshell, a user would receive a phishing email that looks legitimate at first glance. Attached to the email is a compromised Microsoft Office document. This document might be called “Quarterly Results”, or something similarly innocuous. However, upon opening the document, attackers use the macro function to begin executing code. Once this process is started, attackers use a toolbox of products to move laterally within the organization and gain ever higher access privileges.

Ryuk was identified over two years ago. Why does it still wreak havoc?

Ransomware attacks change constantly. Attackers are leveraging automation to mutate common threat variants, resulting in a massive increase in previously unseen first-time threats.

This is a popular technique allowing attackers to bypass most security solutions – which typically misidentify variants of existing threats even if the original threats already have their signatures registered. This weakness allows attackers to continue to target organizations, bypass their existing security solutions, and deploy their payload on the victim’s network.

The old Ryuk vs. the new Ryuk

In January 2021, a new Ryuk variant was identified. New variants emerge all the time, but this one had an enormous impact since it has worm-like capabilities allowing it to automatically spread laterally within the infected networks. Previous versions of Ryuk could not automatically move laterally through a network and required a dropper and then manual movement. The new version entails a computer worm spreading copies of itself from device to device without any human intervention required.

How to protect against the next Ryuk variant – even before you know it’s out there

As we’ve noted previously, Ryuk, like other common ransomware instances, is primarily deployed using a phishing or spear-phishing email. Phishing is tricky and even the most experienced cyber experts aren’t always able to detect it. Therefore, in addition to educating employees on how to avoid phishing threats, the best defense against such an attack for yourself and your clients is to ensure that you use advanced protection for email and other collaboration tools, one that covers phishing as well as malware. When selecting a protection solution, use one that uses an attack-agnostic detection mechanism so it will protect from unknown Ryuk variants as they emerge.

In addition, since Ryuk looks for the weakest link in the chain, it’s highly recommended to constantly scan your network and systems for security vulnerabilities and patch those as soon as they are detected. If you don’t have the expertise to do that yourself, that is something we do for our clients.

What is the ransom demand in Ryuk attacks?

Ransom amounts vary, but there have been records of Ryuk attacks demanding ransoms in the millions of dollars. Remember, paying the ransom is not the solution to escaping a ransomware attack. Doing business with these criminals may be illegal, and the encryption key they provide to unlock your data may not work.

How to detect and stop Ryuk infections

Ideally, you want to stop Ryuk from ever getting into your network, for example by blocking the phishing attempts often used to spread ransomware through email and collaboration tools.

We recommend a number of products from our technology partner, Datto, starting with  SaaS Defense. Datto SaaS Defense detects phishing and ransomware based on its behavior, rather than relying on signature-based software that often misses new malware variants.

Beyond that, you should have ransomware detection and remediation in place. This is part of a layered security strategy, where anything that gets past your outer defenses will be blocked by the next layer of defense, reducing the impact of an attack. By detecting an attack early, systems can be quickly isolated, reducing the impact of an attack.

Datto Remote Monitoring and Management (RMM) allows us to detect and correct problems with every endpoint on our clients networks. While this can be used to address routine maintenance issues, it includes native ransomware detection and remediation capabilities.

If ransomware is detected, Datto RMM automatically alerts us to take proactive steps to stop it. That includes terminating the ransomware process and isolating the infected device to prevent the ransomware from spreading. This reduces downtime and allows us to stop threats before you even become aware of them.

Then the challenge is to recover any systems that may have been damaged in the attack to a ransomware-free state. Whether you will be able to do that depends largely on whether you have complete system image backups of important systems. That includes cloud-based systems, for example Microsoft 365 and Microsoft Azure. Make sure your backups themselves are protected against ransomware because attackers will try to corrupt those, too.

The ability to recover your systems and shrug off a ransomware attack depends largely on whether you have complete system image backups of important systems. That includes backups of cloud-based systems such as Microsoft 365 and Azure. We address that with the Datto Continuity suite of products.

We can help you do this right, dramatically reducing the risk that you would have to choose between paying the ransom or suffering potentially existential damage to your business if you were hit by ransomware. Contact us today to learn more.