Ryuk Ransomware Ioc

Ryuk is a ransomware variant that was created by hacker group WIZARD SPIDER. It has been used to compromise governments, universities, healthcare, manufacturing, and other technology organizations. Ryuk was the most sought-after ransomware variant in 2019, with a demand of USD 12.5 million. It is likely to have a net worth of USD 150 million by 2020.

Ryuk ransomware attack

Ryuk (pronounced ree-look) is a ransomware family that was first discovered in mid-2018. The New York Times reported in December 2018 that Ryuk had infected Tribune Publishing, disrupting printing in San Diego as well as Florida. The Wall Street Journal and the New York Times shared a Los Angeles printing facility. The attack also caused distribution problems for Saturday editions of both newspapers.

Ryuk, a variant of the older Hermes ransomware is the most deadly ransomware attack. Ryuk is responsible for three of the 10 most significant ransom demands of the year, including USD 5.3million, $9.9million, and $12.5million in the CrowdStrike 2020 Global Threat Report. Ryuk has attacked companies and industries around the world. Hackers refer to the attack on large corporations as “big game hunting” (BGH).

This ransomware family is named Death Note in Japanese. It’s a strange choice since it causes the victims to lose money or data. However, hackers could consider it a gift from God.

WIZARD SPIDER, a Russian cybercriminal group, is suspected to be behind Ryuk ransomware. UNC1878 is an Eastern European threat actor that has been involved in some attacks targeting healthcare. This ransomware cannot be distributed directly; hackers first download other malware onto a machine.

Ryuk infects systems by shutting down 180 services and 40 processes. These services and processes can be used to prevent Ryuk from performing its work or are necessary for the attack.

The encryption can then take place. Ryuk encrypts all data, including photos, videos, documents, and databases using AES256 encryption. The symmetric encryption keys of the key are encrypted with asymmetric RSA-4096.

Ryuk can encrypt remotely from anywhere, even remote administrative shares. It can also perform Wake-On-Lan, which wakes computers to encrypt. These capabilities increase the effectiveness and range of the encryption, as well as the potential damage it can do.

The hackers leave ransom notes in the system as RyukReadMe.txt and UNIQUE_ID_DO_NOT_REMOVE.txt that read something like the following screenshot.

Ryuk attack vector

Ryuk can infect targeted systems by downloading as a service (DaaS). DaaS refers to a hacker offering a service to another. A hacker may create ransomware, but not know how to distribute it. Other hackers can help.

Unwitting victims are often sucked in by phishing emails that allow for the initial infection. According to AdvIntel, 91% of all attacks start with a phishing email. It is vital to teaching users how to recognize phishing emails. The likelihood of being infected is greatly reduced by training. See PhishingInsights.

Ryuk is a well-known ransomware service (RaaS), program that has the largest infection scope. Ransomware is a service (RaaS), which is a method by which ransomware developers offer it to other hackers. Developers receive a share of successful ransom payments. RaaS refers to the software-as-a-service (SaaS), model.

Once the user clicks on the phishing email, Ryuk downloads additional malware elements called droppers. Additional malware elements include Trickbot, Zloader, and BazarBackdoor. These droppers could install Ryuk directly.

To communicate with a command-and-control (C2) network, they could also install Cobalt Strike Beacon malware. Ryuk can download the malware once it is installed. Ryuk has also taken advantage of exploits such as the ZeroLogon vulnerability in Windows servers.

Below is a diagram of Ryuk’s attack kill or infection path.

Sophos Group, a British security firm, discovered Ryuk’s attack flow. Also known as the attack kill chain, it was identified by Sophos Group. The diagram is below.


Trickbot was created in 2016 and is believed to be controlled by WIZARD SPIDER. This hacking group also operates Ryuk. This malware was used to steal user credentials, personally identifiable data, and bitcoins.

Skilled hackers designed Trickbot. It was designed to search for files on infected systems and other purposes. It can also be moved laterally across a network, from one machine to the next. Trickbot now has the ability to harvest credential information, crypto mining, and many other functions, but its main function is to distribute Ryuk ransomware.

Ryuk signs of compromise

Ransomware can cause severe damage. It is better to stop it from happening. This is not always possible so operations personnel must be alert for signs of ransomware attacks and take immediate steps to stop further damage.

It is difficult to detect Ryuk because it can infect systems with multiple attack vectors. Many indicators of compromise (IOCs), which allow network and security administrators to see the signs of a Ryuk attack, are available.

BazarLoader is a dropper that allows Ryuk to enter. Droppers, also known as DaaS, are malware that downloads additional malware. These are the IOCs of BazarLoader to be on your guard:

  • The Windows registry contains a scheduled task called “StartAdAd-Ad”, with autorun entries being added next
  • Files with dual extensions such as Report.DOC.exe can be executed

TrickBot is another common entry to Ryuk. Its IOC is an executable that has a randomly generated 12-character file name. TrickBot will create the file, mnfjdieks.exe, and it will be located in one of these directories.

  • C:Windows
  • C:WindowsSysWOW64
  • C:\Users\[Username]\AppData\Roaming

For a complete list of TrickBot IOCs, please see the alert on the U.S. Cybersecurity & Infrastructure Security Agency (CISA) website.

The following screenshot is often the first IOC that a company sees. This screenshot shows that Ryuk has encrypted sensitive data and infected the company. The company should have prepared with good incident response plans and playbooks and have offline backed up all data.

2020 Ryuk ransomware attacks

Ryuk can be used as a BGH and has been used to attack schools, governments, technology companies, school systems, and other institutions. Sopra Steria, an IT services company in France with a cybersecurity business, was infected by Ryuk in 2020. They thought it would take weeks to fully recover.

Ryuk is a major threat to healthcare and it appears that Covid-19 played a role in the attack on healthcare overall. Universal Health Services (UHS), a Fortune 500 healthcare company, has hospitals in the U.S.A and U.K. On September 27, 2020, the company was hit by Ryuk ransomware.

BleepingComputer reported that the most likely infection point for UHS was a phishing email. Emotet, which is a trojan-like program, would have been included in the phishing email. Emotet would have downloaded Trickbot which enabled the WIZARD SPIDER hacker group to manually install Ryuk using a reverse shell.

Two more Ryuk-infected medical centers were infected by hackers in October 2020. The Sky Lakes Medical Center in Oregon was the victim, while the Lawrence Health System in New York was the other. Computer systems were taken offline by the attacks, rendering electronic health records unusable. The attack only made things worse for hospitals already under stress from COVID-19 patient care. These hospital attacks often lasted weeks.

Ransomware best practices

Companies and individuals have many options to prevent ransomware and malware. Here are some top examples.

  • Make sure that patches are applied to OS, firmware, and software
  • Multi-factor authentication is strongly recommended wherever possible. 2FA is an example. The U.S. National Institute of Standards and Technology recommends that SMS not be used as a second factor.
  • Audit accounts, access, logs, or any other information you can to verify configurations.
  • Keep data backups and keep them offline for critical systems.
  • Educate users about phishing emails. The users are the ones who receive, read, and respond to emails.