Ryuk: All you need to know about the highly-targeted ransomware campaigns

• Ryuk ransomware targets large organizations and decides demands based on the victim organization’s value.
• Operated by the sophisticated eCrime group Grim Spider, this malware has the capabilities of targeting critical network systems to maximize the impact of the attack.

The backdrop

Initially spotted in August 2018, Ryuk deploys highly-targeted campaigns in enterprise environments. Ryuk is a ransomware, which is a form of malware that blocks access to systems until the demanded amount is paid. Ryuk is known for blocking access to computers and data centers belonging to various organizations across the globe.

The threat actors behind Ryuk, identified as Grim Spider, are said to have made millions of dollars by carefully selecting large organizations that can afford to pay the ransom in exchange for access to the encrypted files.

Relationship with other malware

Researchers have observed various similarities between Hermes and Ryuk malware.

• Both malware use the same marker to check if a file has been encrypted, and Ryuk’s encryption logic closely resembles that of Hermes.
• Shadow volumes and backup files are deleted using a similar script in Ryuk and Hermes.
• The flow graph of the function that encrypts a file has also been observed to be quite similar.

Based on these observations, there are speculations that Ryuk may be built over the Hermes malware.

According to various reports, Ryuk is believed to be delivered by the TrickBot or Emotet Trojan. Malware campaigns combining TrickBot, Emotet, and Ryuk have also been reported.

Modus operandi

Ryuk has been designed to attack the critical parts of an infected system for maximum impact.

• Once this ransomware infects a system, it is known to disable the antimalware software and install a version of Ryuk instead.
• It then encrypts all non-executable files in the system and renames them with .ryk file extension.
• A ransom note, named RyukReadMe, is then displayed to the users of the infected system.
• Two different ransom note templates have been observed — a long polite one and a short blunt one.

List of attacks

Starting August last year, Ryuk has been in the news fairly often for impacting the operations of various firms.

August 2018: Ryuk made its debut this month by encrypting the systems of various organizations across the globe. Few organizations are said to have paid a massive ransom to retrieve their data.

October 2018

Onslow Water and Sewer Authority (ONWSA) was affected by the Ryuk ransomware. The North Carolina based water utility opted to not pay the ransom.

Recipe Unlimited, a Canadian company that runs several restaurant chains was infected by Ryuk, forcing several restaurants to shut down, and many others to accept payments only in cash.

December 2018

All Tribune Publishing newspapers and those that were formerly part of Tribune were affected by a Ryuk attack. Notoriously known as the Christmas campaign, Ryuk affected various other firms around this time including Dataresolution.net.

May 2019

Ryuk disrupted the functioning of C.E. Niehoff & Co., a manufacturing firm. The IT staff unplugged affected machines before they read the ransom note which warned them not to do so. This resulted in the firm having to rebuild all the infected systems.

July 2019

LaPorte County in Indiana fell victim to a Ryuk attack. The county paid $130,000 in bitcoin to recover the encrypted data.

The month of July also witnessed another Ryuk infiltration in New Bedford that demanded $5.3 million. The city refused to pay and rebuilt their systems from backup.

September 2019

A new malware that seems to share a close relationship with Ryuk has been reported. It is not clear if the Ryuk’s operators are behind the new malware, or if another group has gained access and modified the code.