Ready to Start Your Career?

Ryuk Ransomware Is Continually Changing

Gabriel Schram's profile image

By: Gabriel Schram

August 2, 2021

Ryuk is an identified variant of ransomware that started making its impact in 2018. Like most ransomware, this shuts down system processes and encrypts the entirety of its target. In exchange for some bitcoin, users can unlock and regain access to their system and its data. Since its discovery, Ryuk has caused millions in damages from big game hunting. Big game hunting engages large-scale organizations containing critical assets to obtain a higher ransom. Their targets have been diverse and include newspapers, hospitals, logistic companies, and municipal facilities. It resembles another known malware variant: Hermes 2.1. However, it is built for large-scale enterprise environments. Higher value targets generate a higher ransom, and organizations that rely heavily on their information systems are more likely to pay. This suggests that ransom amounts are determined by the size and criticality of the infected system. Once compromised, the malware leaves a ransom note in the form of a text file on the victim machine, as displayed in Figure 1. Ryuk Ransom Note

Figure 1: Ryuk Ransom Note

Ryuk is a devastating malware variant making the rounds on insecure organizations. An analysis of how it works is vital to understand why it is so successful. An important feature of the ransom note is the lack of a crypto address to send the ransom. Including a bitcoin address is a feature that was removed from the text file. This is indicative that it is updated and improved upon; further evidence points to this as well.

Tactics, Techniques, and Procedures

Ryuk demands large quantities of bitcoin as a ransom payment. Targeting large-scale enterprise organizations fetch large ransoms because many of these organizations are assumed to be hardened and protected. However, the ransomware combines its infection with other known trojans called TrickBot and Emotet to improve its effectiveness. Initial infections of these trojans are carried out via phishing campaigns, drive-by downloads, and watering holes. In other words, the target system is exploited via a known form of social engineering to entice target users to click a malicious link. Once a target is infected with a trojan, the operators of Ryuk use continued access to the system to gather intelligence about the target environment.

Operators use several post-exploitation tools before the payload is dropped. Attackers conduct reconnaissance on the infected network and achieve privilege escalation through various manual hacking techniques and tools. Tools such as Cobalt Strike and PowerShell Empire allow attackers to execute scripts and perform lateral movement while reducing the risk of security alerts. LaZagne is another tool utilized to obtain user credentials inside the target system stealthily. LaZagne is combined with BloodHound, which can reveal relationships within Active Directory. The diversity of tools used by threat actors controlling Ryuk are meant to spread the infection vastly in the target environment and achieve access to the target'starget's domain controller.

Newer variants of it are being built to automate these tasks and require minimal human intervention. A crackdown on Emotet in January of 2021 could be a contributing factor to the evolution of it. In March of 2021, a Ryuk incident response in France established that newer variants self-propagate via remote procedure call (Schwartz, 2021). Previous updates added the wake-on-Lan command and ARP scanning to obtain further IP and MAC addresses.

Before pushing the binary, attackers will terminate active processes, system restore capabilities, and backups. It is pushed to all infected machines via PsExec (Windows command-line utility commonly used to run programs remotely). Ryuk uses a combination of AES-256 and RSA encryption for its targeted files. Each executable generates a unique key for its victims.


Ryuk is believed to have originated from a Russian cybercrime group called WIZARD SPIDER. It will not execute if the host language for infected systems is Russian, Ukrainian, or Belarusian. Cyber threat actors choose not to infect machines in their own country to avoid local authorities; the host language setting is a simple way to do this. Important to consider is the similarity between Ryuk and Hermes 2.1. North Korea used the second in a Taiwanese bank heist in October 2017. However, Hermes 2.1 was found for sale by Russian threat actors in an online forum one month before the heist. Emotet was also greatly operated out of Russia (MUMMY SPIDER). The cybercriminal group behind Ryuk ransomware campaigns is also referred to as UNC 1878.


Ryuk is being updated and altered regularly to improve its efficiency and effectiveness. Additionally, many of the tools known to be used by UNC 1878 are open-sourced. Therefore, it is paramount to maintain security updates on all systems and applications. Network segmentation is another basic security practice that will complicate lateral movement if compromised.

Enterprise environments should also consider a real-time threat protection solution. This would improve the chances of detecting suspicious activity within the protected network. It is vital to secure and separate system backups; maintaining an air-gapped backup is the most secure option. The regular updates and changes of Ryuk functionality indicate that the ransomware will continue to be a threat. Proactive cybersecurity practices make it as difficult as possible to infect and exploit user's systems.


Hanel, A. (2019, 1/10/). What is ryuk ransomware? The complete breakdown. Retrieved from

Mathew J. Schwartz. (2021). Ryuk ransomware updated with ''worm-like capabilities.'' Retrieved from

Schedule Demo