Ryuk ransomware has been in the business since 2018 and is known for targeting big organizations. The ransomware is operated by a Russia-based criminal group known as Wizard Spider. Recently, Ryuk has been observed deploying BazarLoader, a trojan operated by the cybercriminal group behind Trickbot.

Quick insights

Operators of this ransomware focus only on large organizations with critical assets, in an attempt to obtain a larger ransom.
  • According to a recent report of DFIR, Ryuk ransomware only takes 29 hours to complete its attack on the target network, from initial spam email to fully compromising the targeted network, along with encryption.
  • In August, Ryuk joined the list of ransomware gangs operating their own data leak sites, where they leak data of targeted organizations who refuse to pay.
  • The same month, researchers traced millions of dollars worth of bitcoins being sent to Ryuk ransomware operators using the Binance exchange platform. This indicates the fact that the group is planning to use the money in some way.

Recent attacks

The ransomware is very active and has been targeting various organizations, mostly focusing on the healthcare sector. The attacks are spanning from North America to South Asia, along with Western Europe.
  • According to a report from Check Point and IBM, Ryuk ransomware attacks approximately twenty companies per week. The attacks are mostly observed in the U.S., India, Sri Lanka, Russia, and Turkey.
  • Last month, the ransomware operators had hit Universal Health Services, an American company that provides hospitals and healthcare services. They used phishing as an attack vector.

Ties with Trickbot operators

BazarLoader and Trickbot are operated by the same threat actors. BazarLoader trojan comes with improved detection evasion and long term infection capabilities, which suggests some tactical change in Ryuk’s strategy. This lays the groundwork for Ryuk to be deployed silently.


Ryuk is one of the most prominent ransomware and is looking to go even bigger. Therefore, experts suggest that organizations need to be proactive and deploy an anti-ransomware solution, along with providing training to their employees for spotting and dodging malware-laced phishing emails.

Cyware Publisher