If you’re a Manga fan, you might think Ryuk is just a fictional character from the series Death Note. Wrong Ryuk. Although the malicious threat actors likely based their name on this character, in cybersecurity terms, Ryuk is a dangerous ransomware that is famous for its targeting of large Windows-operated organizations. Like many other ransomware groups, Ryuk encrypts the data held within the company until they pay a designated amount of money in Bitcoin.
This article will cover everything we know about Ryuk, from its origins and methodology, to how you can spot or protect against Ryuk in your own IT environment.
Who exactly is behind Ryuk ransomware, and where did it come from?
The Ryuk ransomware is thought to be the invention of one or more Russian crime groups, including WIZARD SPIDER, a crime group that the Russian government is thought to tolerate and perhaps even support. It was first brought to public attention back in 2018, when the ransomware began targeting high-profile organizations. Here is an example of the kind of ransom note that the group leaves for the organization under attack, which Checkpoint security reports led to a record-high ransom payment of 50 Bitcoin, (around $320,000).
spitals, municipal operations, and newspapers – wherever the criminals can do the most damage. Examples are Onslow’s Water and Sewer Authority (OWASA), the Los Angeles Times, and British, German and American healthcare facilities.
How does Ryuk work?
Microsoft calls Ryuk a type of ransomware that is a “preventable disaster” as it is part of a category that is human operated. According to Microsoft, you can help to stop and slow these kinds of attacks with security best practices. First, let’s understand how Ryuk occurs in the first place.
A Ryuk attack will start with human error, for example an employee clicking on a malicious link in an email, where the attackers will use Emotet or Trickbot. The usual approaches are via an unprotected RDP port, via a phishing email, or through attachments and downloads into the network.
Now, the lateral movement begins. This is how the ransomware takes steps to access additional parts of the network. The payload downloaded is usually Cobalt Strike beacon or PowerShell Empire, which can be leveraged to access additional data and systems. This could happen immediately, or the payload can remain dormant in the network for weeks or even months before the attackers take it any further. Microsoft commented that Trickbot “is often considered a low-priority threat, and not remediated and isolated with the same degree of scrutiny as other, more high-profile malware.” This allows attackers a lot more freedom to fly under the radar, or achieve longer dwell time without mitigation, accessing credentials that allow them to disable security tools which could stop them in their tracks such as Antivirus or system recovery tools.
Windows default approach is to have 64 shadow back-ups to allow users to access lost or damaged files, but Ryuk immediately deletes these, and then also resizes the amount of storage space so that they cannot be recreated.
Finally, Ryuk is ready to encrypt files. AES keys will be created for the victim files, and then a second RSA key is also used. Every single drive and network share on the system will be impacted, leaving just “RyukReadMe.txt” found in each folder. This is where the ransom note will be found.
How to protect against Ryuk in your IT environment
As Ryuk is not a widespread ransomware, and it’s only been found in targeted attacks, it’s much harder to trace and there is not a lot of information available about the MO of the criminal group behind the ransomware. Once you are the victim of a Ryuk ransomware attack – you might be able to remove Ryuk from your network, but you’ll still have encrypted files, as only the attackers have the key to unlock them.
The best protection is therefore defensive action that can harden your network to stop Ryuk from making it through your defenses in the first place. As an MSP or an IT professional, you have a responsibility to ensure that you’re deploying best practices on your environment. Always make sure that robust security tools are in place, and never disable Antivirus or Anti-malware to improve performance or speed. Ensure you’re using firewall protection and also have multi-factor authentication in place. Speak to your colleagues, employees or customers about using strong credentials, and suggest tools for randomized local admin passwords.
It’s also important to prioritize alerts for seemingly narrow malware issues such as Emotet and Trickbot, which could be the early stages of a Ryuk attack. Monitor for items like brute-force attempts, as well as for clearing of event logs, and also make sure to track high-privileged accounts closely for any anomalous activity.
When an attack or an incident occurs, make sure to investigate the attack surface fully and try to find how the attackers made it in in the first place, perhaps with a “no consequences” call for employees to admit to mistakes made in their security hygiene.
You can harden your environment to prevent lateral movement inside the network, by adding security measures such as micro-segmentation that can ring-fence the most critical data and systems away from harm, and using the principle of least privilege and zero trust access policies to limit the likelihood of attackers making it to your crown jewels.
Additional steps you can take to improve your security defenses are ensuring Windows Defender Firewall is being used, enabling tamper protection and cloud-delivered protection in a hybrid environment, and turning on attack surface reduction rules.
Atera offers strong monitoring capabilities and provides full visibility and control.