Ryuk ransomware was first detected in August 2018 and is spread via highly targeted attacks, although the infection method is currently unknown. According to Check Point researchers, when Ryuk infects a system, it kills over 40 processes and stops more than 180 services by executing taskkill and net stop on a list of predefined service and process names. Additionally, Ryuk requires Admin privileges to run and maintains persistence by writing itself to the Run registry key. Researchers have noted several similarities to the Hermes ransomware, suggesting that the recent Ryuk campaigns may be related to the Hermes operators or another threat actor who has obtained the Hermes source code. Some of the similarities between Hermes and Ryuk include the same file marker for encrypted files, similar whitelisted folders, and a similar script to delete shadow volumes and backup files. Ransom demands have varied among victims, ranging from 15 BTC to 50 BTC, with a combined profit of over $640,000 in bitcoin generated from victim payments.

  • Check Point provides more information about Ryuk here.

  • The NJCCIC is not currently aware of any free decryption tools available for Ryuk ransomware.

  • UPDATE 12/31/2018: Ryuk ransomware variant suspected in malware incident affecting the Chicago Tribune.

  • UPDATE 1/2/2019: Ryuk ransomware infected computer systems at cloud hosting provider DataResolution.net on 12/31/2018.

  • UPDATE 1/14/2018: Ryuk is now believed to have been developed by profit-motivated cyber-criminals and is being delivered subsequent to an initial TrickBot or Emotet infection.

  • UPDATE 6/19/2019: A new variant of Ryuk has been detected adding specific IP addresses, blacklisting them to avoid encryption of certain computers. In addition, this new variant will also compare the computer name to the strings "SPB", "Spb", "spb", "MSK", "Msk", and "msk". If the computer name contains any of these strings, Ryuk will not encrypt the computer. Researchers believe this is likely to refrain from encrypting Russian computers.

  • UPDATE 6/22/2019: The National Cyber Security Centre (NCSC) is investigating an active Ryuk ransomware campaign targeting organizations on a global level. Emotet and Trickbot malware has been detected on targeted networks.

    • For technical details, IOCs, and mitigation techniques of this campaign please see the NCSC advisory.

Image Source: Check Point