Ryuk is a complex ransomware threat that first emerged in August 2018 and has been targeting a wide range of organisations since its first appearance. Ryuk is known for using manual hacking techniques and open-source tools in order to gain access to private networks and administrative access to systems in order to enable their file encryption. Ryuk is grounded on an older ransomware program called ‘Hermes’ and also has the original Hermes base code that was sold on underground cybercrime forums in 2017. It is believed that Ryuk is the creation of a Russian-speaking cybercriminal group that obtained access to Hermes.
Ryuk tends to target organisations with a lot of important assets as this means these organisations are more likely to pay the ransom demands, this technique is referred to as “big game hunting,” that are Ryuk tend to demand higher ransom payments from their victims compared to many other ransomware gangs. The ransom amounts associated with Ryuk range between 15 and 50 Bitcoins, or between $100,000 and $500,000, but it has been alleged that higher ransom payments have been paid.
Ryuk is almost solely distributed through TrickBot or follows infection with the Trojan. Following a TrickBot infection and the identification of an interesting target, the Ryuk gang deploys post-exploitation frameworks such as Cobalt Strike or PowerShell Empire that allow them to perform malicious actions on computers without triggering security alerts. PowerShell is a scripting language meant for system administration that leverages the Windows Management Instrumentation (WMI) API and is enabled by default on Windows computers. Its powerful features and widespread availability on computers have made it a popular choice for hackers to abuse.
Ryuk essentially encrypts all files, the only files not encrypted are those with the extensions dll, lnk, hrmlog, ini and exe. It also skips files stored in the Windows System32, Chrome, Mozilla, Internet Explorer and Recycle Bin directories. These exclusion rules are likely meant to preserve system stability and allow the victim to use a browser to make payments.
Ryuk uses strong file encryption based on AES-256. The encryption keys are stored at the end of the encrypted files and their extension changed to .ryk. The AES keys are encrypted with an RSA-4096 public-private key pair that is controlled by the attackers. No publicly available tool can decrypt Ryuk files without paying the ransom. Ryuk tries to delete volume shadow copies to prevent data recovery through alternative means. To read more about Ryuk and similar ransomware groups, click here to read our ransomware handbook.