What is Ryuk Ransomware & How to Protect Against It?

When it first rolled out in August 2018, Ryuk ransomware fooled many into thinking it was a product of North Korean hacker groups. This system turned out to be a weapon created in Russia. According to FBI analysts, the software is used by two cybercrime syndicates, and it has proved to be lucrative, reaping more than $61 million in its first year of operations.

Ryuk is a Cold War throwback because it doesn’t seem to launch against any ex-USSR states. Its main targets are in the United States and, secondarily, in the US’s allied states. The Ryuk ransomware first became noticed during a campaign that attacked major US print news media, including the Wall Street Journal, the New York Times, the Los Angeles Times, the Fort Lauderdale Sun-Sentinel, and the San Diego Union-Tribune. After its first year targeting US businesses, the hackers spent a year attacking hospitals, schools, and local government offices, mainly in the USA and the UK, Australia, and Germany.

Like most malware, Ryuk ransomware targets the most widely distributed operating system: Windows. The ransom is expected to be paid in Bitcoin. The exact amount demanded for the ransom varies from attack to attack. Early rounds of infections required Bitcoin valued at $145,000. However, the price has lowered with more recent attacks, going down to an average of $71,000 per attack. Despite this discounting, Ryuk has become the highest-earning ransomware to date.

What is distinctive about Ryuk?

Ryuk has several features that make it different from more famous ransomware. While systems such as WannaCry became famous through large-scale rollouts worldwide, Ryuk is less well known because it hasn’t been spread as widely.

Ryuk is only used in targeted attacks and does spread organically from system to system. While some ransomware crosses the internet like seeds on the wind, hitting fertile soil and stony ground equally, Ryuk is a missile, pointed manually.

There is no single iconic notification screen for Ryuk ransomware, which might explain why it has failed to make the headlines as much as its rivals. The Ryuk warning is tailored for each attack with different text. This isn’t a standard format with variations slotted in but individually composed messages with no standard length or tone. However, the demand is delivered by email in every case and always written in English.

Where does Ryuk come from?

The hackers that created Ryuk are fans of unreconstructed Soviet Communism. Their ransom notes are peppered with references to the works of Lenin, and the exclusive targeting of American businesses indicates a certain level of grudge in the motivations of its users. The high ransom shows that the hackers aren’t interested in dealing with the public – many ransomware strains ask for as little as $500.

So, Ryuk makes considerable demands and hits large organizations. Despite this big business attitude, the hackers haven’t applied professional-style software development processes to create the code. The program is full of coding errors and is poorly laid out. This indicates that it was written by possibly only one programmer rather than by a team. Individuals working without supervision or a software specification tend to produce untidy, flawed code like Ryuk. The producer didn’t waste much time on testing either because the ability of the delivered decryption key to restore infected files is hit and miss.

Ryuk wasn’t created by one of the large, state-guided hacker groups in Russia. The system is believed to be a property of the Wizard Spider group based around Saint Petersburg in Russia. Wizard Spider involves around 80 people – many of whom don’t realize that they are working for a hacker group.

It is possible that Wizard Spider subsequently let another hacker group in on the tool for a fee. The first user of Ryuk ransomware is uncompromising. This is Wizard Spider, and they always asked for a Bitcoin payment that was worth $145,000 at the time. Full stop. The second hacker group using Ryuk is prepared to negotiate. This second group is the reason why the average demand has come down over time.

Wizard Spider software, including Ryuk, will uninstall itself if it detects the Russian language setting in the operating system, and it won’t go to IP addresses in former Soviet nations.

What does Ryuk mean?

Ryuk is a character in a manga franchise in Japan called Death Note. The series follows Light Yagami, who picks up a notebook with names written in it. Ryuk, a Shinigami, wrote the notebook. A Shinigami is a type of spirit or god that lures mortals to their death so that their souls can populate the underworld.

The notebook was Ryuk’s hit list, and he dropped it accidentally. However, it transpires that maybe the loss wasn’t accidental and possibly the names inside the notebook are of no significance. The notebook is like a beacon, and anyone that touches it instantly becomes known to Ryuk, who suddenly appears. Touching the note makes someone a target of Ryuk.

How does Ryuk ransomware work?

Ryuk is an amalgamation of two earlier viruses, called Trickbot and Hermes. Trickbot is a delivery system that Wizard Spider and Hermes developed is a ransomware program that was circulated on hacker sites for sale, so it has been acquired as a tool by other hacker groups. It seems that Wizard Spider bought Hermes and added it on to Trickbot to create the Ryuk ransomware.

Trickbot dates back to 2016. It was initially used to steal banking credentials, but it has evolved into a delivery system for other types of malware, notably Ryuk. Trickbot itself uses another hacker service, the Emotet spam Trojan.

Emotet was developed by a group called Mealybug in Ukraine. Mealybug uses Emotet to infect computers and then access other hacker groups for a fee.

The Mealybug group buys lists of email addresses and then sends out its spam email to every email address on the list. The email includes an enticement to click on a link that claims to lead to an essential website but is a download link for the Emotet package. In some attack cycles, the group attaches a document instead of a link. The contents of the documents include an installer that will activate if the document is opened.

Once on a computer, the Emotet system checks periodically with a command and control server (C&C) for instructions. In the case of a Trickbot infection, the C&C will include instructions to open a connection and download the Trickbot code. Emotet has a persistence module, which means that if an antivirus spots the code running as a process and kills it, the system will restart.

Emotet is challenging to get rid of. However, authorities around the world have successfully shut down the Emotet C&C servers. Although there are possibly millions of computers around the world that are still infected with Emotet, those viruses won’t ever do anything because the IP addresses they communicate with for instructions have been taken over by law enforcement agencies in Europe.

The Emotet shutdown caused Wizard Spider to adapt Trickbot, so it has its worm-like infection strategies to keep Ryuk rolling.

Once on a computer, Trickbot uses a system called EternalBlue to spread laterally. EternalBlue is the main conduit used by the WannaCry ransomware system, and it was initially developed by the US National Security Service (NSA). The system exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB). Microsoft released a patch to close down this exploit in 2017 and subsequently fixed the problem in all of its operating system shipments. However, older installations that haven’t been fully patched are still vulnerable to EternalBlue.

Ryuk has its persistence modules, and so it is challenging to remove. It will move around a system without activating, allowing it to be copied undetected onto shared servers and backups. Although Ryuk relied on Emotet for access, it also had its server network to modify the ransomware behavior once it was resident on a computer. The C&C will delay activation for weeks to give the malware time to spread. Ryuk also infects and disables System Restore in Windows.

Ryuk uses a good combination of encryption ciphers that is the same as those used by high-quality VPNs. These are the asymmetric RSA cipher with a 4096-bit key and the AES encryption system with a 256-bit key. This combination is considered uncrackable.

Litigation actions by Microsoft have severely reduced Ryuk’s server network. As the code exploits systems that are proprietary to Microsoft, the company has sued the hosting services used by Wizard Spider to remove the accounts. As a result, the Ryuk network of 128 C&C servers has now been reduced to 8.

Defending against Ryuk ransomware

The best strategy to prevent a Ryuk ransomware attack is to educate users about downloading attachments or clicking on links in emails from unknown sources. It is also essential to install security monitoring systems that detect anomalous behavior on endpoints.

As the desktops on your system are the entry points for Ryuk ransomware, this is where your defense strategy should be focused.

Here is our list of the best Ryuk ransomware defense tools:

1. CrowdStrike Falcon Insight This package combines a next-gen AV on each endpoint with a cloud-based controller that gets constantly updated with the latest threats and how to block them.
2. ManageEngine DataSecurity Plus A security system that focuses on file activity – a great tool for privacy standards compliance and also for ransomware prevention. It runs on Windows Server.

The best Ryuk ransomware defense tools

1. CrowdStrike Falcon Insight

CrowdStrike Falcon Insight is a cross-platform endpoint detection and response system that combines on-device next-gen AV modules with a cloud-based controller. The endpoint-resident parts of this system are implementations of the Falcon Prevent package. This can monitor all activities on an endpoint, and it can detect the appearance of the Ryuk ransomware.

Key Features:

• Multi-level strategy
• Local AV
• Central threat hunting
• Threat intelligence
• Corporate protection

Why do we recommend it?

CrowdStirke Falcon Insight creates a private corporate cybersecurity system by combining on-device units with a cloud-based coordinator. The endpoint unit is a standalone product, called Falcon Prevent. This is able to continue working independently even if the device gets disconnected from the network. It communicates with the cloud-based Insight system, which mines endpoint logs for threats and sends instructions to the Prevent units.

The benefit of having complete endpoint protection is that the defense can continue even if the device gets cut off from the network and the internet. The Insight system up in the cloud can collect updates on threats and channel them to the endpoint agents. Falcon Insight can collect activity data from all endpoints, giving an overview of the entire system.

Who is it recommended for?

This is one of many cloud-based XDRs/SIEMs on the market. However, while most have an agent program that needs to be installed on each endpoint for data collection, the CrowdStrike Falcon Insight system includes a full AV package on each endpoint. This configuration makes the package a strong security solution but it also makes it expensive, so small businesses probably wouldn’t go for this option.

The CrowdStrike Falcon Insight system can protect from a long list of malware and spot zero-day attacks and intruder activity. You can get a 15-day free trial of Falcon Prevent.

2. ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus focuses on the protection of files. This makes it a good choice for privacy standards compliance as well as ransomware protection. The system includes monitors for file changes, which consists of a mass changes attempt indicator. This immediately raises an alert and can trigger automated responses.

Key Features:

• File integrity monitoring
• User activity tracking
• Compliance management
• Forensic investigation

Why do we recommend it?

ManageEngine DataSecurity Plus doesn’t provide an antivirus or an intrusion detection system. Instead, it takes the approach of locking down data. The package scans all of your data stores and finds instances of sensitive data. It then protects each file and controls access to it according to records set up in Active Directory. The service controls channels for data movements, such as USB sticks and emails.

The speed with which this service can identify malicious activity means stopping Ryuk ransomware before it spreads. DataSecurity Plus focuses on devices running Windows, which is the target of Ryuk ransomware.

Who is it recommended for?

This service focuses on protecting sensitive data and it also helps you to tighten access rights in pursuit of that goal. The package won’t scan all programs or look out for new software hitting the endpoint, so you will still need an AV and a firewall. There is a Free edition, but it doesn’t include file integrity monitoring.

ManageEngine DataSecurity Plus runs on Windows Server, and you can get it on a 30-day free trial.