How To Protect Against Ryuk Ransomware?

How to Protect Your Business From Ryuk Ransomware

Computer viruses and other malware are on the rise. Ryuk, ransomware that is used by cybercriminals, is the most popular. It was responsible for more than a third of all ransomware attacks in the first quarter of 2020.

Ryuk’s popularity among cybercriminals is only increasing. This makes it more likely that computers, servers, or other devices in your IT network (referred to as endpoints by IT professionals), will be affected.

Ryuk’s popularity with criminals is understandable. This ransomware is one of the most deadly and effective. Only the best endpoint security software has a chance of stopping it before damage occurs.

There are concrete actions that can be taken to protect your company from Ryuk ransomware. Let’s begin by understanding Ryuk and its operation. We’ll then discuss how to protect against it.

Overview: What is Ryuk ransomware and how can it be used?

Ryuk malware is designed to encrypt the most sensitive data in your company. This malware uses a three-tiered encryption process that makes it impossible to gain access to your data without paying the ransom.

The ransom is quite staggering. According to the Center for Internet Security, a typical ransom amount is between $100,000 and $600,000. Criminals demand Bitcoin cryptocurrency payment.

Ryuk is ransomware that can be used to extort money for a variety of reasons.

  • It makes it impossible for your antivirus protections to work unaffected.
  • It attempts to infect as many servers and computers as possible within your company.
  • This can cause your backup data to be corrupted and make it impossible for you to restore them. It can infect your backup data, so if you think that you can do a system restore to get your data back using shadow copies (the Windows technology used for creating backups and snapshots) it won’t.

The number of Ryuk attacks exploded in 2020. Source:

Who is responsible for RYUK ransomware

Understanding Ryuk’s code and behavior can help us identify the cyber threat actors behind it. Ryuk’s code structure looks similar to Hermes ransomware. Cybersecurity experts initially believed Ryuk was connected to the Lazarus Group. These CTAs are located in North Korea and were responsible for Hermes.

Cybersecurity professionals now attribute Ryuk’s origin to two Russian CTAs, CryptoTech and Wizard Spider. Wizard Spider runs TrickBot, a Trojan designed to deliver Ryuk ransomware. CryptoTech claimed that it had transformed Hermes into Ryuk.

How does Ryuk ransomware spread?

Delivery of the Ryuk virus involves other types of malware. TrickBot or the Emotet Trojan turned-bot malware are used by it to control your computer and disable your antivirus.

The attack usually begins with an innocent email. An attachment appears to be from a customer or your bank.

The attachment activates a series of computer commands that infect your machine when the employee opens it. Ryuk infects all other computers within your IT environment.

This allows valuable business data to be encrypted wherever it is stored on your network. Along with the encrypted files, criminals leave behind a ransom note detailing their demands. A video tutorial is included to show you how to send ransom money and buy Bitcoin.

Ryuk uses a sophisticated multi-step process to infect your files. Source:

How to protect your business from Ryuk ransomware

Multi-layered security is required to protect your business against Ryuk and other cyber threats like Spider malware. It involves the implementation of all items in the following list.

1. 3.2-1 and other data backup methods

You can prevent Ryuk and other ransomware by making sure you have up-to-date backups. You should have backups of your data. But Ryuk can’t access them.

The 3-2-1 strategy is a popular choice.

  • Three At least three copies must be made of your data. The original data is the first, while the copies are secondary.
  • Two Copy these files to two different storage media. Redundancy ensures that even if one storage device is damaged or attacked, the data can still be accessed on another. You can store data on a NAS, SSD, solid-state drive (solid-state storage), or traditional tape media. You can also use a CD if you don’t have a lot of data.
  • 1: A backup copy must be kept in a safe, off-site place. This location must be isolated from your IT network to prevent Ryuk from infecting the backups. Many businesses today use a cloud storage solution such as Box.

The 3-2-1 approach can be modified to meet your specific business needs. You can also use other models to increase data protection.

A 3-2-2 strategy is a better option than a 2-2-2 strategy. This allows you to back up your data to multiple locations. This could be one cloud-based storage option and an offsite space that is geographically distant from your business. For even greater security, you can use a 3-2-3 arrangement where data is stored with two cloud vendors as well as in an off-site location.

The popular 3-2-1 data backup model protects your data. Source:

2. Maintain IT systems up-to-date

Vendors of technology regularly provide updates for their products to protect them from new cyber threats. These updates will reduce your network’s vulnerability to Ryuk malware and other malicious software. This applies to hardware like modems and routers.

Many software has an automatic update process. It checks for updates online and performs the update automatically. However, this may not be true for your hardware.

Charter Communications provides a free modem for my internet service. However, they are not responsible for updating or patching it. Your business might need to purchase its own modem in these cases to ensure your security.

3. Disable macros

A macro is a small program that automates repetitive tasks. Microsoft Office software employs macros in all of its products.

These macros can be used by criminals to execute commands that will take control of your computer. This is a common tactic in Ryuk ransomware attacks.

Most employees don’t need macros to perform their jobs. It is safer to disable macros by default. Microsoft offers settings for this.

4. Educate staff

Cybercriminals target unsuspecting victims. Raize awareness and teach your team how to avoid Ryuk.

These online behaviors will increase the safety of your company.

  • The most common medium to deliver malware is email. Never open emails from unknown sources. These emails should be deleted immediately
  • Cybercriminals will try to trick and deceive you. Cybercriminals send emails that appear to be from customers, familiar sources such as your bank, or a coworker whose computer has been infected. An email may appear to be from a trusted source but it isn’t what you expected or threatens you with dire consequences if it doesn’t open the attachments or click on its links. Check with the sender to confirm that it is a legitimate email.
  • Only download software from official sources. Avoid free software offers from unknown brands. These free programs often contain malware.
  • Your device can be infected by simply visiting a website. Many websites allow you to download images and other files. A site may infect your computer by downloading images and other files. Keep your browser software up-to-date to protect yourself. Also, avoid suspicious, questionable, or unfamiliar websites.
  • To trick you, cybercriminals may copy official websites. Your credentials may be stolen from you when you log in to what appears to be your bank’s official website. Criminals can gain access to your sensitive data and bypass antivirus protection by obtaining the logins they need. This can be avoided by typing the URL of the site directly into your browser, rather than clicking a link in an email.

Even in companies with a security operations center (SOC), it’s often assumed people understand how to protect themselves from cyber threats. Many people don’t know how to keep up with criminal tactics changing so it is important to continue education.

5. Endpoint security software is a must

Endpoint protection is a requirement for all computing devices. Every endpoint, whether it’s a server, laptop, or mobile phone is a possible entry point for criminals.

If you’re a freelancer or solo entrepreneur with a home-based business, you can usually get by with the Microsoft antivirus preinstalled on Windows computers. Microsoft has significantly improved its antivirus software, adding artificial intelligence and other advanced protection capabilities.

Larger companies require more robust endpoint security. Software such as the CrowdStrike Falcon platform can proactively detect Ryuk behavior and stop it before it infects your network.

Endpoint security software can be used to make sure that all software and hardware within an organization is up-to-date with the latest patches. It identifies areas that need to be addressed. Endpoint security prevents suspicious emails and websites from reaching unwitting staff.