Ryuk Ransomware

Despite all the advancements in cyber security and awareness about cyber crimes today, ransomware attacks are still some of the biggest threats both individuals and companies face.

As attackers come up with new ways and ransomware strains to attack computer systems, it is becoming increasingly difficult to protect precious data and prevent loss of finances, especially in the form of ransom.

Amongst these new variants of ransomware is also Ryuk ransomware. Also termed one of the most formidable ransomware in the world, it has affected several systems worldwide and led to huge losses.

Ryuk Ransomware

Coming into the spotlight in August 2018, Ryuk is named after a popular Japanese comic book character. However, now this name is synonymous with one of the worst cyber threats in the world. Ryuk ransomware targets hospitals, government institutions, businesses, and other big organizations.

Generally, all ransomware hacks into a system to encrypt files, after which the hacker demands that a ransom is paid by the victim in return for the private key that will decrypt the data. Ryuk ransomware is a well-thought and targeted attack that encrypts the most critical data on an organization’s systems. The attacker then threatens to keep this data inaccessible until a hefty ransom demand is fulfilled in the form of cryptocurrency, mainly Bitcoin.

Origin Of Ryuk Ransomware

Ryuk ransomware was first identified in 2018, but it is based on another ransomware program named Hermes, which was traded in underground forums for cyber criminals in 2017. Hermes was most popularly used by one of the biggest cybercrime groups originating from North Korea. This led to the belief that Ryuk is also run by a group that operates out of North Korea. However, it has been discovered that Ryuk is operated by a Russian cybercrime organization, most likely Wizard Spider.

The ransomware, Ryuk, targets some of the biggest companies in the world, like well-renowned tabloids. Even targets that seem least susceptible to malware attacks, such as hospitals and other healthcare organizations, are not safe from this threat.

Ryuk ransomware has grown more dangerous with time, with a newer variant launched in 2021. It has led to millions of dollars in losses to organizational giants around the world.

Why Is Ryuk Ransomware So Successful?

According to Microsoft’s definition, ransomware Ryuk is “a human-operated ransomware attack.” This means that the threat actors use cutting-edge techniques and sharp stealth strategies, leading to a high success rate.

Another advantage to the attackers due to manual attacking techniques is that they can deploy multi-level threats to the targeted system.

Attackers also use automation to mutate the Ryuk ransomware regularly, forming multiple separate variants that have never been observed before. Due to this strategy, hackers can slide by the toughest security systems because they are often misidentified as a different type of attack.

This allows attackers to beat their target’s security system by simply identifying the threat signatures already identified by it and then choosing a mutant accordingly. This makes identifying the target and deploying the ransomware on their system very easy for Ryuk attackers.

How Ryuk Ransomware Attacks?

Ryuk ransomware is unlike normal malware in that the attacker does thorough research about the target instead of simply setting a trap and hoping a naïve user will fall victim to it.

The threat actors first spend ample time extracting information about their high-profile victims to determine whether they are worth the attack and may even steal the victim’s credentials.

One of the most popular Ryuk ransomware attack vectors is phishing emails. This means that the attacker sends a benign email to the victim, which contains an apparently harmless but malicious attachment, mostly a Word or pdf document. As soon as this attachment is opened, a malware trojan is deployed on the victim’s machine, and a ransom note is displayed.

The initial infection is not ransomware itself. It is a type of malware that allows the perpetrator to take control of the system and execute any commands as they wish so that they can deploy the ransomware when and where they want. During this process, the Ryuk itself does not sit idle. Instead, it swiftly spreads laterally across any network to which the infected device may connect.

Once Ryuk has hinged itself deeply into the system, it can easily and stealthily identify and steal the user’s credentials and identify domain controllers. This means that when the ransomware payload is deployed, the malware attacks all targeted data and will gain access to a large attack surface, making the attack more widespread.

Ryuk is part of one of the first ransomware families that can identify the network’s drives and resources, along with deleting any data backup from the endpoint. It is after this that the encryption process takes place.

This ability makes Ryuk ransomware more lethal because not only can it disable Windows System Restore on the system, but it also makes it completely impossible to recover from a Ryuk infection without an external, isolated backup or rollback technology. It also means that the victim has no options apart from either losing their data forever or paying the ransom that is asked.

Since the ransomware causes file encryption and blocks access to all valuable data, making it impossible even to gain entry to any program or application, many victims are forced to and instantly agree to ransom payments.

The careful planning, execution, target selection, and manual hacking techniques that go into a Ryuk ransomware attack ensure a fool-proof attack and earn the attackers upwards of millions of dollars every year.

Popular Ryuk Ransomware Attacks

Ransomware attacks have recently resulted in significant losses to several big organizations. Not only did these attacks cause significant inconvenience to the those affected, but they also led to huge losses of data, money, or both.

Below are some examples of institutions that have fallen prey to Ryuk over the years.

In July 2019, the entire IT system of New Bedford, Massachusetts, was encrypted by attackers who demanded $5.3 million in Ryuk ransom. The city offered to pay $400,000 instead, which was rejected. The city then tried to recover its systems on its own.

In January 2020, Ryuk attacked the Electronic Warfare Associates (EWA), a popular electronic supplier to the US Department of Defense. EWA tried to keep this attack under wraps, but it was eventually revealed when someone disclosed ransom notes and encrypted files on EWA’s cached results on Google search.

In September 2020, Ryuk targeted more than 250 medical facilities run by Universal Health Services (UHS), one of the biggest healthcare providers in the United States. This attack led to delayed appointments and medical test results and forced patients to be relocated to other emergency rooms. This attack led to a loss of $67 million to the UHS.

In October 2020, two medical centers in Oregon and New York, respectively, were attacked by Ryuk. These attacks took down the centers’ online databases, making electronic medical records unavailable for an unspecified period. This took place when the Covid 19 pandemic was at its first peak and thus took increased pressure on the already heavily burdened healthcare facilities.

In May 2021, Ryuk’s victim was Volue, a Norwegen energy technology firm. This severely affected water and wastewater facilities infrastructure in more than 200 Norwegian municipalities. Apart from the firm, this attack negatively impacted about 85% of the entire population.

In June 2021, a Ryuk attack was deployed on the IT systems and networks in Liege, one of the largest cities in Belgium. This led to a disruption in administrative services relating to passports, identity cards, and appointments for birth, marriage, and residency permits.

The New Ryuk Variant

A new Ryuk variant came into the limelight in 2021. This was not the first time a new variant was launched, but it got more attention because of its worm-like nature. This variant can spread laterally across a network automatically from an infected system.

This ability is unlike the previous variants, which could not do so automatically. Instead, they had to be moved manually.

The new variant’s abilities are termed worm-like because a computer worm can replicate itself several times and propagate its copies across a network of computers without any manual intervention.

Protection Against Ryuk Ransomware

The highly deadly nature of Ryuk ransomware might make it seem like there is no way one can be fully immune to such an attack. However, that is not entirely true because Ryuk preys on the same weaknesses of a system as any other ransomware.

A lack of awareness about cyber threats, proper firewall and anti-malware solutions, weak passwords, as well as other poor cyber practices make a system prone to Ryuk attacks. Therefore, it is better to prepare for the worst and identify weaknesses in your system and networks to protect against this threat and prevent Ryuk and other malware.

Invest In Cyber Security And Cyber Resilience

Cyber security is not optional for companies nowadays; it is an inherent need that every organization needs to invest in to fight cyber threats.

Good cyber security practices involve cutting-edge technology, software, and proper staff training. Organizations should also try to conduct simulations of Ryuk infections and other malware to prepare team members and help them understand their roles if an attack does happen.

Staff, especially those on the front end that receive and respond to email communications and other media, should also be trained thoroughly about safe IT practices, most importantly, not falling into the trap of phishing emails and, thus, preventing Ryuk.

Cyber resilience, on the other hand, will help a company recover from a Ryuk ransomware attack and come out of it without losing either data or finances.

Concentrate On Data Backups

Well-maintained data backup is perhaps the most important tool to survive a Ryuk or other malware attack. Every institution must ensure that all its data is backed up on external, isolated storage devices. It is also better if these devices are geographically separated too. Another useful backup tool is cloud storage services.

Data belonging to critical assets, systems, and operations should be stored offline and updated regularly. Continuous Data Protection (CDP) can also be used, which is a tool that ensures that any changes made to data in real-time are instantly and automatically backed up.

Other Safety Practices

Both individuals and institutions need to keep their antivirus and other security software up-to-date so that the system can easily monitor, identify, and deal with a Ryuk attack before it is fully deployed. Any passwords or PIN codes used should be strong and changed regularly.

Decent security infrastructure, including server security, should be installed, and permissions-level access should be set up. Multi-factor authentication, with strong second factors, should be employed wherever possible.

Software, firmware, and operating systems should have patches applied. All logs, accounts, and access should be regularly audited to help verify activity and configuration.

Can A Ryuk Ransomware Attack Be Removed?

Affected users should never assume they can remove Ryuk ransomware from their system. This is a job best left to IT professionals and experts. Even if you can get rid of the ransomware, all your files will remain encrypted.

There are some steps. However, you can instantly take on your own to reduce the impact of the threat. Firstly, isolate the infected system, i.e., disconnect it from any computer networks, cloud storage accounts, or external storage devices. Then, quickly run an antivirus scan on the system to detect the issue and its effects. Note down the time you discovered the virus on your computer.

In some cases, it is possible to remove Ryuk ransomware from your system via System Restore and safe mode, but there is no guarantee that these techniques will work. Therefore, it is always better to focus on prevention strategies to protect your critical data from a Ryuk attack.

Ryuk attempts to target the weakest links in the chain. Hence, it is crucial to regularly scan your entire network of systems to identify system vulnerabilities and patch them as soon as possible.


Ryuk ransomware is an extremely formidable cyber threat attributed to the Russia-based hacker group Wizard Spider. Ryuk infects the biggest of organizations and corporate giants.

Ryuk typically encrypts data and system files that the Ryuk hackers know are of utmost importance to the target. There is currently no removal technique available for this attack, and the only choice most victims are left with is to pay the ransom or risk losing their sensitive data forever.

Ryuk is a very real threat faced by organizations all over the world. To fight it efficiently and avoid irreversible losses of money and data, it is imperative to focus on prevention techniques, invest in decent cyber security and resilience, and spread awareness about this threat.

Derik Belair

As President and CEO, Derik leads the vision, strategy and growth of Augmentt. Prior to founding Augmentt, Derik was the Vice President at SolarWinds, leading the digital marketing strategy for SolarWinds’ Cloud division. Derik has been working in the channel for over 20 years, starting his career as a channel sales rep at Corel Corp. and eventually becoming the first employee at N-able Technologies in April of 2000.
SUBSCRIBE for more resources
Related Content

Agent-based SaaS Discovery

    When it comes to Augmentt Discover, we believe in flexibility and power. Augmentt Discover can collect SaaS usage data using both an Agent and Agentless model. Here is a quick [...]

    Product Evaluation Guide

      Thank you for starting your Augmentt Product Evaluation and Trial   Here are a few resources that will help you through this technical process. Support Technical Support is available to [...]
      Augmentt is a centralized SaaS security platform built for MSPs to deliver scalable managed security services for Microsoft and cloud apps. Our multi-tenant platform gives you visibility across all your end-users to easily audit, protect and detect security threats for a holistic approach to cyber security.