RYUK Ransomware (27th January 2021)

Ref# T2021_02 | Date: Feb 3rd 2021


Ransomware is a form of malware that holds a victims data at ransom. The data is then encrypted so it cannot be retrieved or accessed (crypto ransomware), a ransom payment for the data to be unlocked is then requested.

How it works 

Ryuk tries to encrypt all available files and hosts which have Address Resolution Protocol (ARP) entries. A file extension .ryk is appended to each encrypted file, while all directories also contain the ransom note. Ryuk, then deletes any existing shadow copies of the encrypted files. The Ryuk Ransomware is known to run from the Temp folder with a random name and saves a ransom note on the user”s desktop that is titled RyukReadMe.txt. The developers offer a free decryption of two files to prove that decryption is achievable and, attempt, to give the belief that they can be trusted.  

Ryuk uses RSA-2048 and AES-256 encryption algorithms and Microsoft SIMPLEBLOB format to store keys in the malware executable, it is similar to HERMES and both use the marker “HERMES” to check whether a file has been encrypted.  

 How it is Distributed 

Ryuk attacks companies that they select(targeted), it is either distributed via spear-phishing emails or Internet-exposed, poorly secured Remote Desktop Protocol (RDP) connections. It is operated manually. This means that Ryuk gathers information and data about the targeted network, such as network mapping and retrieval of credentials, the data can be obtained from other malware infections on the targeted network, such as Emotet and TrickBot before installing Ryuk. 

Emotet uses spam emails attached Microsoft Office documents corrupted with malicious scripts, to trick users into opening and running the attachment, Emotet then sends addition malware across the network, such as trickBot, when trickBot is installed and executed it begins to steal credentials, these credentials are used to move lateral in the network, then trickBot drops ryuk ransomware.  

Indicators of Compromise (IOC) 

  1. Ryuk Ransomware creates the following file(s): 


File Name 



Detection Count 










  1. Watch out for an increase in file renames. 

A huge increase in file renames will show as your data gets encrypted, this can trigger behavior alert, it can be set to send out an alert if the number of renames exceed a certain threshold, example: you can base the alert on 4 or more renames per second. 

  1. Indicators of compromise such as IP addresses, domains and SHA-256 samples can be found by following the below URL:


Removing Ryuk Ransomware

There are steps that are necessary to be taken when it is suspected that a system is infected with ransomware:

STEP 1. Isolate the infected device(s):

  • Log out of all cloud storage.
  • Disconnect the infected device from the network and the internet. You may even go as far as disabling all Network Interface Cards.
  • Disconnect all External Storage devices

STEP 2. Re-image the infected device(s)

STEP 3. Restore clean copy of files from backups.

PDF Download: RYUK Ransomware.pdf


  1. Ryuk Ransomware: Extensive Attack Infrastructure (29 Oct, 2020), Retrieved from RiskIQ https://www.riskiq.com/blog/external-threat-management/ryuk-ransoware-indicators/
  2. Lets talk Ryuk ransomware, Retrieved from Malarebyte https://www.malwarebytes.com/ryuk-ransomware/
  3. Solutions and Protections against RYUK Ransomware (17 Dec 2020) Retrieved from TrendMicro https://success.trendmicro.com/solution/1123892-ryuk-ransomware-information
  4. What is Ransomware, Retrieved from Macfee https://www.mcafee.com/enterprise/en-us/security-awareness/ransomware.html
  5. Ryuk ransomware behind one third of all ransomware attacks in 2020( 3 November, 2020),Retrived from Help Net Security https://www.helpnetsecurity.com/2020/11/03/ryuk-ransomware-2020/
  6. Ryuk Ransomware Retrivevd from Enigma Software https://www.enigmasoftware.com/ryukransomware-removal/?gclid=EAIaIQobChMI1orD1Ie87QIVA5SGCh0jTAFXEAAYASAAEgLmavD_BwE