What is Ryuk Ransomware and How Does it Work?

By Rotem Shemesh

What is Ryuk ransomware?

Ryuk is a type of ransomware that once deployed encrypts files on an infected system. Ransom is typically demanded in bitcoin or other types of cryptocurrency. Ryuk has targeted many large organizations using Microsoft Windows and related systems.

First spotted in August 2018 and initially thought to be a group that operates out of North Korea, however it is now believed to have been developed by Russian hackers.

70% of managed service providers (MSPs) report that ransomware is the most common malware threat to their clients. Protecting against Ryuk and dealing with an attack is a critical functionality and key differentiatorfoit comes to offering clients an edge.

Discover how Datto can help protect your business against ransomware attacks >

What is unique about Ryuk Ransomware and why is it so successful?

Ryuk is unique in that it is, as Microsoft defines it, a human-operated ransomware attack. The attackers use highly sophisticated targeting and stealth tactics to ensure a high rate of success.

The attackers generally choose their targets carefully, going for large organizations rather than individuals. This has not only launched the Ryuk ransomware into the headlines but also netted the operators of the ransomware millions of dollars in ransom payments.

Famous Ryuk attacks in the news

Ryuk attack victims reportedly include large organizations, local governments, hospitals, and more. For example:

  • The Department of Social Services
  • Tribune Publishing including the Los Angeles Times, Chicago Tribune, Wall Street Journal, and the New York Times
  • Boston's Committee for Public Counsel Services
  • Jackson County, Georgia, (paid a $400,000 ransom)
  • Riviera Beach, Florida (paid $594,000 ransom)
  • LaPorte County, Indiana (paid $130,000 ransom)

How is Ryuk delivered?

Like many other strains, Ryuk ransomware attacks are primarily delivered via a phishing email.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Ryuk is spread by “phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware.

Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control server and install it on the victim’s machine.” Commonly Microsoft Office documents that are macro-enabled are delivered in the phishing email, which, when opened, leverages the macro to execute a PowerShell command that in turn downloads Emotet.

This then downloads additional software, including Trickbot. From here, the ransomware can move laterally as it discovers ever higher access privileges.

Ryuk was identified over two years ago. Why does it still wreak havoc?

Ransomware attacks change constantly. Attackers are leveraging automation to mutate common threat variants, resulting in a massive increase in previously unseen first-time threats.

This is a popular technique allowing attackers to bypass most security solutions – which typically misidentify variants of existing threats even if the original threats already have their signatures registered. This weakness allows attackers to continue to target organizations, bypass their existing security solutions, and deploy their payload on the victim’s network.

Combat the latest threats with Datto’s ransomware solutions >

The old Ryuk vs. the new Ryuk

In January 2021, a new Ryuk variant was identified. New variants emerge all the time, but this one had an enormous impact since it has worm-like capabilities allowing it to automatically spread laterally within the infected networks. Previous versions of Ryuk could not automatically move laterally through a network and required a dropper and then manual movement. The new version entails a computer worm spreading copies of itself from device to device without any human intervention required.

How to protect against the next Ryuk variant – even before you know it's out there

As we’ve noted previously, Ryuk, like other common ransomware instances, is primarily deployed using a phishing or spear-phishing email. Phishing is tricky and even the most experienced cyber experts aren’t always able to detect it. Therefore, in addition to educating employees on how to avoid phishing threats, the best defense against such an attack for yourself and your clients is to ensure that you use advanced protection for email and other collaboration tools, one that covers phishing as well as malware. When selecting a protection solution, use one that uses an attack-agnostic detection mechanism so it will protect from unknown Ryuk variants as they emerge.

What is the ransom demand in Ryuk attacks?

Ransom amounts vary, but there have been records of Ryuk attacks demanding ransoms in the millions of dollars. Remember, paying the ransom is not the solution to escaping a ransomware attack.

How to detect and stop Ryuk infections

First and foremost, it’s important to have ransomware detection and remediation in place for you as an MSP and for your clients. Ransomware detection is a component of backup systems that can reduce the impact of an attack. By detecting an attack early, systems can be quickly isolated and recovered to prevent paying the attacker a ransom for decryption.

For example, Datto RMM enables MSPs to remotely monitor, manage, and support every endpoint under contract. This provides an additional layer of security, one with native ransomware detection.

If ransomware is detected, Datto RMM automatically sends alerts allowing MSPs to take proactive steps. These include terminating the ransomware process and isolating the infected device to prevent the ransomware from spreading. This serves to reduce downtime and saves MSPs from having to wait for clients to report possible infections.

In addition to RMM, MSPs can make use of Datto’s backup and recovery services which is the only way to ensure business continuity for clients.

Datto offers several solutions including:

  • Datto Unified Continuity, covering all business continuity and disaster recovery needs including protecting servers, files, PCs, and SaaS applications
  • Datto SIRIS, a reliable, all-in-one business continuity and disaster recovery solution built for MSPs to prevent data loss and minimize client downtime
  • Datto ALTO, a small but powerful business continuity and disaster recovery solution built for MSPs to minimize downtime and efficiently prevent data loss for their small business clients
  • Datto Endpoint Backup for PCs, protecting MSP clients’ Windows-based computers from downtime and data loss and rapidly recovers data in case of disaster
  • SaaS Protection, offering reliable and secure cloud-to-cloud backup for Microsoft 365 and Google Workspace to ensure critical cloud data is protected

Ryuk has already demonstrated that it will be constantly evolving to evade security solutions. MSPs must be able to offer clients real, practical solutions that address this ongoing threat.

Suggested Next Reads