This report is an overview of the Ryuk ransomware and contains actionable intelligence for understanding and protecting against the malware threat.


Overview of Ryuk Ransomware

Discovered in 2018, this ransomware continues to attract publicity because of its impact on large organizations. Malware researchers have noted increased activity by the ransomware in recent months. Most recently, Ryuk successfully attacked Universal Health Services, one of the largest healthcare providers in the nation.

Ryuk has been attributed to a few threat actors with its origins traced to North Korea or Russia. The Russia-based threat actor, Wizard Spider, appears to be behind the ransomware attacks and is also credited with activity by the TrickBot malware.


Ryuk Ransomware Tactics, Techniques, and Procedures

Malware researchers believe Ryuk is a derivative of the older Hermes ransomware, as much of the same code is used by Ryuk. However, Ryuk has continued to develop beyond Hermes since its discovery. At this time only Windows OS devices appear to be targeted.

Similar to other malware, an infection by Ryuk often begins with a phishing campaign. The campaign may then be used to directly infect victims with the ransomware or may initially infect with Emotet or TrickBot.

The threat actor may later decide to push out the Ryuk ransomware executable payload to encrypt the system. PowerShell scripts are commonly used for the download, leveraging tools like PowerShell Empire and PsExec. Avertium partner Sophos offers this graphic to depict an example chain of infection.


Ryuk ransomware chain of infection


Ryuk is distributed with a dropper for the actual executable payload. The dropper is not often seen, as it is deleted from the system once the payload runs. The dropper randomly generates the payload file name upon installation.

Before encryption, the malware checks the system to determine whether VirtualBox is being used or whether the language is Russian, Ukrainian, or Belarusian, and will not execute on these systems. Ryuk enumerates the network and all drives on the host to encrypt all mounted drives on the system and any hosts it can reach remotely. Ryuk uses RSA-2048 and AES-256 to encrypt the files. Once encrypted, a ransom note is placed on the system requesting Bitcoin payment for the decryption of files.

The below example is provided by CrowdStrike:

Ryuk ransomware ransom note sample


What Ryuk Infection Means to You

  • The infection leads to data encryption or loss.

  • Sensitive business data may be leaked to the public.

  • Payments have been requested by Wizard Spider of up to 99 BTC, approximately $1,047,429.

  • The true cost of ransomware infections can be in far excess of the demand due to a variety of factors like system downtime.


What You Can Do About Ryuk

  • Provide users with training on best practices to avoid phishing, as well as awareness of recent trends in phishing campaigns.

  • Regularly update Windows hosts with recently released patches.

  • Update older versions of Windows to Windows 10 for increased security features.

  • Implement a regular backup schedule for systems, especially those with critical data.

  • Use Endpoint Protection with anti-ransomware features such as Sophos Intercept X.

  • Implement best practices and security features for PowerShell on your network.

    • Run PowerShell 5.0 or greater on systems requiring PowerShell.

    • Implement the privilege of least principle, only allowing PowerShell, and related tools like PsExec, to be run by users and hosts requiring it.

    • Enable script block logging and transcription to better log PowerShell activity.


This image has an empty alt attribute; its file name is 8-Steps-to-Take-if-Breached-featured-min.jpg

8 Steps to Take if You've Been Breached

With the prevalence, severity, and sophistication of cybersecurity attacks growing by the day, businesses of all types and sizes are scrambling to protect themselves. This best practices guide takes you through the 8 essential steps to managing a data breach. Download now.



Indicators of Compromise (IOCs)


MITRE Mapping(s)


Sources and Other Helpful Information


Contact us for more information about Avertium’s managed security service capabilities. 

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Chat With One of Our Experts

Threat Report Ransomware Attacks healthcare Malware ryuk windows os Blog