Breaking Down the Real Meaning of an XDR Solution
Read More
Discover effective techniques for detecting ransomware on your network. Learn practical steps
In September 2020, Universal Health Services faced a devastating cyberattack that forced over 400 medical facilities across the United States and United Kingdom to revert to paper-based procedures. This wasn’t just another ransomware attack – it was Ryuk, one of the most sophisticated and financially devastating ransomware families ever created.
Since its emergence in August 2018, Ryuk has distinguished itself from other ransomware through its targeted approach, focusing on “big game hunting” rather than indiscriminate attacks. Unlike most ransomware families that cast wide nets hoping to catch numerous small victims, ryuk ransomware specifically targets large organizations with the resources to pay substantial ransom payments.
Understanding what Ryuk is and how it operates has become crucial for organizations worldwide. This comprehensive guide will explore everything you need to know about this notorious malware, from its technical capabilities to prevention strategies that can protect your organization from becoming the next victim.
Ryuk is a highly targeted ransomware variant derived from the earlier hermes ransomware family, but it has evolved far beyond its predecessor’s capabilities. Unlike broad-spectrum malware that attempts to infect as many systems as possible, Ryuk uses “big game hunting” tactics to target high-value organizations including hospitals, government agencies, universities, and large corporations.
What makes Ryuk particularly dangerous is its ability to encrypt not just local system files, but also network drives and resources accessible to the infected machine. The ransomware actively seeks to disrupt backup and recovery mechanisms by deleting Windows Volume Shadow Service (VSS) shadow copies, making it nearly impossible for victims to restore their data without paying the ransom.
Files encrypted by Ryuk typically receive file extensions like .ryk or .RYK, making them completely inaccessible without the proper decryption key. The malware creates ransom notes named “RyukReadMe.txt” in every affected directory, containing instructions for contacting the ryuk attackers and payment details.
The sophistication of ryuk ransomware extends to its operational security. The malware is programmed to avoid infecting systems configured with Russian, Ukrainian, or Belarusian language settings, strongly indicating the geographic preferences and potential nationality of its operators.
First detected in August 2018, Ryuk emerged as a heavily modified version of the older hermes ransomware. The transformation wasn’t merely cosmetic – ryuk operators had fundamentally reimagined how ransomware could be deployed for maximum impact and profit.
The name “Ryuk” references a death god character from the popular Japanese manga and anime series “Death Note.” This choice reflects the operators’ attention to impactful branding and cultural references, suggesting a level of sophistication that extends beyond mere technical capabilities.
WIZARD SPIDER, a Russian-speaking cybercriminal organization, is attributed as the primary operator behind ryuk attacks. This group previously operated a subgroup called GRIM SPIDER, which was later merged under the WIZARD SPIDER umbrella. The organization has demonstrated remarkable adaptability, continuously evolving their tactics and incorporating new techniques to maintain their effectiveness.
The attribution to WIZARD SPIDER is supported by several technical and operational indicators. Beyond the language avoidance mentioned earlier, the group’s command and control infrastructure, malware distribution methods, and tactical patterns all point to a highly organized criminal enterprise with significant resources and technical expertise.
Intelligence agencies and cybersecurity researchers have tracked WIZARD SPIDER’s activities across multiple campaigns, revealing a group that operates with the precision and planning typically associated with nation-state actors, despite their purely criminal motivations.
The ryuk ransomware attack process follows a sophisticated multi-stage approach that maximizes both stealth and impact. Understanding this attack chain is crucial for organizations seeking to defend against or respond to ryuk infections.
The journey typically begins with phishing emails targeting employees within the victim organization. These aren’t generic spam emails, but carefully crafted messages designed to bypass security filters and convince recipients to open malicious attachments or click dangerous links.
Once a user interacts with the malicious content, the attack chain often involves Emotet malware downloading additional malware, particularly trickbot malware. TrickBot serves as a powerful reconnaissance tool, performing extensive network mapping, credential harvesting, and privilege escalation activities. This trojan horse enables attackers to move laterally through the victim’s infrastructure, identifying critical assets and administrative accounts.
The reconnaissance phase can last days or even weeks, with ryuk operators carefully mapping the target environment to understand backup systems, network topology, and high-value data repositories. This patient approach distinguishes Ryuk from more opportunistic ransomware families.
Ryuk demonstrates sophisticated technical capabilities that make it particularly effective at causing maximum disruption. Before beginning the encryption process, the malware terminates approximately 180 services and 40 processes to ensure nothing interferes with its operations.
The ransomware uses advanced encryption algorithms, employing AES-256 encryption for individual files and RSA-4096 encryption to protect the symmetric encryption keys. This dual-layer approach makes unauthorized decryption virtually impossible without access to the attackers’ private key.
One of Ryuk’s most destructive features is its systematic destruction of backup mechanisms. The malware actively seeks out and deletes shadow copies created by Windows System Restore, eliminating one of the most common recovery options available to victims. This capability to disable windows system restore functions significantly reduces the victim’s ability to recover without paying the ransom.
Ryuk can encrypt files across all mounted drives and accessible network shares, including remote administrative shares. A particularly insidious feature is its Wake-On-LAN capability, allowing compromised machines to wake up other computers on the network for encryption, ensuring maximum organizational impact even for systems not actively in use during the attack.
The malware also employs process injection techniques to execute within legitimate system processes, helping it avoid detection by traditional anti malware solutions. This stealth capability allows Ryuk to operate undetected while conducting its devastating encryption activities.
The real-world impact of ryuk ransomware attacks has been documented across numerous high-profile incidents that demonstrate both the malware’s technical sophistication and the operational disruption it can cause.
Universal Health Services became one of the most significant victims of a ryuk ransomware attack in September 2020. The incident affected over 400 medical facilities across the United States and United Kingdom, forcing healthcare workers to abandon electronic health records and revert to paper-based procedures for accessing patient records.
The timing was particularly devastating, occurring during the COVID-19 pandemic when healthcare systems were already under unprecedented strain. The attack disrupted critical operations including laboratory testing, prescription systems, and patient monitoring equipment, potentially putting lives at risk.
Sky Lakes Medical Center and Lawrence health services also fell victim to ryuk infections during this period, highlighting the ransomware’s particular threat to healthcare organizations. The targeting of human services during a global health crisis demonstrated the callous nature of the threat actors behind these attacks.
Tribune Publishing suffered a significant ryuk attack in December 2018 that severely disrupted newspaper printing and distribution operations. Major publications including the Los Angeles Times experienced widespread delays, affecting their ability to deliver news to readers across multiple markets.
Onslow Water and Sewer Authority faced a ryuk infection in October 2018 that disrupted billing and customer service operations. This attack on critical infrastructure demonstrated Ryuk’s potential to impact essential public services beyond traditional corporate targets.
Between 2018 and 2019, ryuk operators collected over $61 million in ransom payments across various attacks, establishing the malware as one of the most financially successful ransomware strains to date. Individual ransom demands have ranged from tens of thousands to millions of dollars, often calibrated based on the victim organization’s size and perceived ability to pay.
Understanding how ryuk infects organizations is essential for developing effective prevention strategies. The ransomware’s distribution methods have evolved over time, but certain patterns remain consistent across most successful attacks.
Approximately 91% of ryuk ransomware attacks begin with phishing emails targeting employees within the victim organization. These emails often contain malicious attachments, typically Microsoft Office documents with embedded macros that serve as the initial infection vector.
The attack frequently follows a three-stage process: initial Emotet infection, followed by trickbot malware deployment, and finally ryuk execution. This layered approach allows attackers to establish persistence, conduct reconnaissance, and position themselves for maximum impact before deploying the ransomware payload.
Emotet serves as the initial foothold, often delivered through convincing phishing emails that appear to come from legitimate sources. Once established, Emotet downloads additional malware, particularly TrickBot, which performs the crucial reconnaissance and lateral movement functions necessary for a successful ryuk attack.
Sophisticated ryuk attacks may also exploit vulnerabilities such as ZeroLogon (CVE-2020-1472) in Windows servers to enhance their access and persistence within victim networks. These exploit vulnerabilities allow attackers to escalate privileges and move laterally through network environments.
The malware program communicates with command and control c2 servers to coordinate activities and receive additional instructions. These servers maintain communication with infected systems throughout the attack lifecycle, enabling real-time coordination of the encryption process across multiple systems.
Some ryuk infections have also been traced to direct exploitation of unprotected remote desktop protocol connections, highlighting the importance of securing all network access points. Attackers may also leverage legitimate but compromised credentials obtained through previous breaches or credential stuffing attacks.
Recognizing the signs of a ryuk infection early can be crucial for containing damage and implementing effective incident response procedures. Several technical and operational indicators can signal the presence of this sophisticated ransomware.
The most obvious sign of a ryuk attack is the presence of ransom notes named “RyukReadMe.txt” or “UNIQUE_ID_DO_NOT_REMOVE.txt” throughout the infected system. These ransom note files appear in every directory containing encrypted files and provide instructions for contacting the attackers.
Files with .ryk or .RYK file extension indicate successful encryption by the ransomware. Victims will find that these encrypted files cannot be opened by their associated applications, and attempts to access them result in error messages or corrupted data displays.
System administrators may notice the sudden appearance of executable files with 12-character random names in system directories. These files are often components of the Ryuk payload or associated tools used during the attack process.
Unusual network traffic to known command and control servers associated with wizard spider operations can indicate an active or pending ryuk infection. Security teams should monitor for communications to suspicious ip addresses, particularly those associated with known ransomware infrastructure.
The detection of trickbot malware or Emotet infections should trigger immediate incident response procedures, as these often serve as precursors to ryuk deployment. Organizations should treat any confirmed presence of these malware families as indicators of an imminent ransomware attack.
Sudden termination of security services, backup applications, and system restore functions may indicate that Ryuk is preparing to begin its encryption process. The malware systematically disables protective mechanisms before beginning file encryption to maximize its effectiveness.
IT teams may notice widespread failures of backup systems or the inability to create new system restore points. Ryuk actively targets these recovery mechanisms as part of its strategy to force ransom payments.
Unusual administrative activity, particularly during off-hours, may indicate that attackers are conducting reconnaissance or positioning themselves for the final attack phase. This activity often involves accessing sensitive data repositories and mapping network resources.
Defending against ryuk attacks requires a comprehensive, multi-layered security approach that addresses both technical vulnerabilities and human factors. No single security measure can provide complete protection against such sophisticated threats.
Implementing comprehensive employee training programs to recognize and avoid phishing emails represents one of the most critical defense measures. Since the vast majority of ryuk infections begin with successful phishing attacks, educating staff about suspicious email indicators can prevent initial compromise.
Training should cover recognizing suspicious attachments, particularly Microsoft Office documents requesting macro activation, unexpected links in emails, and social engineering tactics commonly used by cybercriminals. Regular simulated phishing exercises can help maintain awareness and identify employees who may need additional training.
Organizations should establish clear reporting procedures for suspicious emails, ensuring that employees feel comfortable reporting potential threats without fear of criticism. Quick reporting can enable security teams to respond to threats before they spread throughout the organization.
Maintaining regular, secure backups stored offline or in immutable storage systems provides the most reliable defense against ransomware attacks. These backups should be tested regularly to ensure they can be successfully restored and should be stored in locations that cannot be accessed by ransomware.
Deploy advanced endpoint detection and response (EDR) solutions with behavioral analysis capabilities that can identify ransomware-like activities before encryption begins. Deploy advanced detection solutions that combine EDR, NDR, and deception for unified visibility across the attack surface.
Platforms like Fidelis Elevate® XDR can detect ransomware activity in real time—monitoring for lateral movement, privilege escalation, and backup sabotage—before the encryption phase even starts. These tools should monitor for suspicious process behavior, unauthorized file access patterns, and attempts to delete shadow copies.
Implement robust email filtering systems to block malicious attachments and suspicious links before they reach employee inboxes. These systems should include advanced threat detection capabilities that can identify previously unknown malware variants.
Network segmentation can significantly limit the impact of a successful ryuk infection by preventing lateral movement between different parts of the organization. Critical systems should be isolated from general user networks whenever possible.
Deploy application whitelisting to prevent execution of unauthorized executable files, including ransomware payloads. This approach can stop ryuk from executing even if other security measures fail to prevent the initial infection.
Implement robust access controls with multi-factor authentication for all administrative and user accounts. Limiting user privileges to only what is necessary for their job functions can reduce the potential impact of compromised credentials.
Keep all systems and software updated with the latest security patches to prevent exploitation of known vulnerabilities. Many successful ransomware attacks exploit vulnerabilities that have available patches but haven’t been applied to victim systems.
Regularly audit and secure remote desktop protocol connections, ensuring they are protected by strong authentication and not directly accessible from the internet. Many ryuk infections have leveraged unsecured RDP connections as initial access vectors.
Monitor for indicators of compromise associated with precursor malware like TrickBot and Emotet. Early detection of these infections can enable organizations to prevent the subsequent deployment of Ryuk.
When facing a confirmed or suspected ryuk infection, organizations must act quickly and decisively to minimize damage and begin recovery operations. The first hours of an incident are critical for containing the threat and preserving evidence for investigation.
Immediately isolate affected systems to prevent further spread across the network. This may involve disconnecting network cables, disabling wireless connections, or implementing emergency network segmentation procedures. Speed is essential, as Ryuk can encrypt network drives and resources rapidly once activated.
Contact law enforcement agencies, particularly the FBI’s Internet Crime Complaint Center, to report the ransomware attack. Law enforcement can provide valuable assistance and may have intelligence about the specific threat actors or ongoing investigations that could aid recovery efforts.
Engage cybersecurity professionals experienced in ransomware incident response as quickly as possible. These specialists can help assess the scope of the infection, identify the attack vector, and develop an appropriate response strategy.
Conduct a thorough assessment to determine which systems and data have been affected by the ryuk infection. This assessment should include all network-connected systems, backup repositories, and any cloud-based resources that may have been compromised.
Document all actions taken during the incident response process for potential legal proceedings and insurance claims. This documentation should include timestamps, personnel involved, and detailed descriptions of all response activities.
Preserve forensic evidence that may be useful for law enforcement investigations or internal analysis. This evidence can help identify how the attack occurred and prevent similar incidents in the future.
Security experts and law enforcement agencies strongly advise against paying ransom demands. Payment does not guarantee that encrypted files will be recovered, and it directly funds criminal operations that enable future attacks against other organizations.
Focus recovery efforts on restoring data from clean, uncompromised backups created before the ryuk infection occurred. This process may take considerable time but represents the most reliable path to full data recovery.
Before restoring any systems, ensure that the threat has been completely eliminated from the network environment. Premature restoration can result in re-infection and the loss of recovered data.
Conduct a comprehensive post-incident analysis to identify security weaknesses that enabled the attack and develop remediation plans to address these vulnerabilities. This analysis should examine both technical controls and operational procedures.
Update incident response plans based on lessons learned during the ryuk attack. These updates should address any gaps or inefficiencies identified during the response process.
Consider engaging third-party security assessors to conduct independent evaluations of security controls and help identify additional areas for improvement.
Ryuk specifically targets high-value organizations through manual reconnaissance and can encrypt network resources, not just local files. It also deletes shadow copies to prevent easy recovery and operates with a level of sophistication that sets it apart from most ransomware families. The targeted attacks focus on large organizations rather than broad, automated campaigns.
Currently, there are no free decryption tools available for Ryuk due to its use of strong encryption algorithms. Recovery typically requires restoring from clean backups created before the infection occurred. The combination of AES-256 and RSA-4096 encryption makes unauthorized decryption virtually impossible.
From initial infection to full encryption can take anywhere from hours to weeks, depending on network size and the attackers’ reconnaissance activities. The ryuk operators often spend considerable time mapping the target environment before deploying the ransomware payload to maximize impact.
See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.