Ryuk ransomware was first detected in August 2018 and is spread via highly targeted attacks, although the infection method is currently unknown. According to Check Point researchers, when Ryuk infects a system, it kills over 40 processes and stops more than 180 services by executing taskkill and net stop on a list of predefined service and process names. Additionally, Ryuk requires Admin privileges to run and maintains persistence by writing itself to the Run registry key. Researchers have noted several similarities to the Hermes ransomware, suggesting that the recent Ryuk campaigns may be related to the Hermes operators or another threat actor who has obtained the Hermes source code. Some of the similarities between Hermes and Ryuk include the same file marker for encrypted files, similar whitelisted folders, and a similar script to delete shadow volumes and backup files. Ransom demands have varied among victims, ranging from 15 BTC to 50 BTC, with a combined profit of over $640,000 in bitcoin generated from victim payments.
- Check Point provides more information about Ryuk here.
- The NJCCIC is not currently aware of any free decryption tools available for Ryuk ransomware.
Image Source: Check Point