Ryuk is relatively new to the cybercrime scene, having first been identified in August 2018 as a variant of Hermes ransomware. Although it hasn’t infected as many systems as more ubiquitous ransomware programs, Ryuk has caused enormous disruption by specifically targeting large scale networks. Its victims include, but are not limited to, the city of New Orleans, the U.S. Coast Guard, dozens of U.S newspapers, and several hospitals and health care providers.
The fact that Ryuk has compromised several high profile targets is a key part of its modus operandi. Instead of spreading via phishing campaigns or propagating willy-nilly over networks, it takes a longer approach and typically compromises its victims via a multi-stage process. Ryuk is actually primarily dependent on two other forms of malware called Emotet and Trickbot.
Emotet is what’s referred to as a “dropper” Trojan, which is typically spread via malware-laden attachments and enables hackers to install other programs. Computers and networks compromised by Emotet will often then be infected by the Trickbot strain of malware, which takes control of targeted computers and allows hackers to install ransomware, including Ryuk. This combination is often referred to as a “loader-ransomware-banker trifecta.”
Because Ryuk requires several steps before it’s able to compromise a system, it typically targets enterprise environments and charges relatively high prices to decrypt affected files. The size of the ransom tends to vary according to the size and resources of its targets as well as the sensitivity of the data it encrypts. The lowest known ransom was for 1.7 Bitcoins (roughly $20,000), and the highest was for 99 Bitcoins (roughly $1.2 million), with the average being somewhere between 15 and 50 Bitcoins (roughly $100,000 to $500,000).
One of the more sophisticated elements of Ryuk is that it first targets and stops malware and antivirus-related processes, and then in turn looks for and compromises connected system backups. This activity makes it both significantly harder to detect a Ryuk infection and makes it near impossible to recover system data if external and offsite backups aren’t available.
After using three separate layers of encryption on its target computer, Ryuk then generates a ransom note in every file folder, typically informing its victim that their files are encrypted, and providing a secure email address and bitcoin wallet to deposit the ransom.
Ryuk has been attributed to two hacking groups, Wizard Spider and CryptoTech. A 2019 report from the FBI estimated that this variant of ransomware had netted $61 million in reported cases in the U.S. alone, a figure that is expected to increase significantly in 2020 and beyond.
What to do about Ryuk?
It’s difficult to mitigate once this ransomware takes hold of a system, so the best method is to prevent infection. Companies and organizations should regularly train employees to identify potential phishing emails containing malware-laden attachments, invest in malware and antivirus software to identify and block threats. Most importantly, it is crucial to follow the 3-2-1 strategy of backups:
- Keep at least three copies of data.
- Store two copies on different media.
- Keep one backup copy offsite and offline.