RYUK is a high-risk ransomware-type virus that infiltrates the system and encrypts most stored data, thereby making it unusable. Due to its similarities with Hermes ransomware, there is a high probability that these two viruses have the same developer. Unlike most other viruses, this malware does not rename or append any extension to encrypted files. It does, however, create a text file (“RyukReadMe.txt“), placing a copy in every existing folder.

RYUK is designed to target large companies and infect many computers at once. Although paying thousands of dollars for everyday users might seem too much, large companies often agree, since their encrypted data is often much more valuable.

Ransomware developers often ignore victims once payments are submitted. Paying often gives no positive result and users are scammed. There are no tools capable of cracking RSA/AES encryption and restoring data free of charge. The only solution is to restore everything from a backup.

How does Ryuk Ransomware attack a victim?

The majority of Ryuk Ransomware attacks can be traced back to either Remote Desktop Protocol (RDP) access or email Phishing as the attack vector. This is due to the prevalence of poorly secured RDP ports, and the ease with which Ransomware distributors are able to either brute force themselves, or purchase credentials on dark market sites. Companies that allow employees or contractors to access their networks through remote access without taking the proper protections are at grave risk of being attacked by Ryuk Ransomware.  Email phishing is also increasingly prevalent in Ryuk attacks. Exploit kits such as Trickbot and Emotet are increasingly used to gain elevated credentials so that the entire network of a targeted organization may be encrypted by the attackers.

Ryuk Ransomware Encrypted File Extensions

Ryuk Ransomware typically appends a standard ‘.ryk’ to encrypted files. There is known to be one variant which does not append any special extension to the files but uses the same encryption as the Ryuk that does append.ryk to the files. An encrypted file would follow the below pattern (example of a word document):

filename.doc.ryk

How to defend against Ransomware?

  • Anti-exploit technology
  • Regular, updated malware scans
  • Network Segmentation
  • Evolving Threats