Ryuk, a well-known ransomware family, has achieved a milestone by collecting more than $150 million in ransom. In a joint report, a threat intel company and cybersecurity firm tracked payments to 61 Bitcoin wallet addresses that were previously attributed and associated with Ryuk ransomware attacks.

Quick insights

The operators behind this ransomware send most of their Bitcoin to exchanges through a mediator to cash out. The two main exchanges used by them are Binance and Huobi, both located in Asia.
  • After tracing Bitcoin transactions for the known addresses associated with Ryuk ransomware, experts evaluated that the gang’s crypto account may be worth more than $150 million.
  • The extorted funds are collected in holding accounts and then passed to money-laundering services.
  • Ryuk operators create two unique Protonmail addresses for each victim and communication. At present, they do not use any web-based chat as many other ransomware operations do.
  • The threat actor creates a score for its victims to determine how lucrative a target might be and how likely the victim is to pay the ransom. For example, domain trusts are one significant indicator collected by antecedent malware.

Ryuk’s recent attacks

  • SystemBC was used in Ryuk and Egregor attacks, often in combination with other post-exploitation tools such as Cobalt Strike.
  • Last month, K12 Inc., an online learning solutions provider, detected unauthorized activity performed by Ryuk operators.


Over the past few years, ransomware gangs have been aggressively making attempts to target and exploit thousands of victims across the globe. With the immense success rate, this trend is not expected to stop anytime soon. Therefore, experts suggest taking a backup of important data, applying the latest security patches and updates, and using email gateways to avoid the risks of ransomware attacks.

Cyware Publisher