The name of a well-known ransomware family, Ryuk was initially identified back in 2018 and has fast become one of the most nefarious forms of crypto-malware impacting enterprise systems on a global scale today. Here, we’ll take an in-depth look at a tool used by malicious operators that still hits headlines today.

What exactly is Ryuk ransomware?

Ransomware itself is a dedicated form of malware designed to lock out enterprise access from their key systems and important files, effectively holding them hostage until a ransom is paid for their safe return. Ryuk is an example of this tool, categorised as crypto-malware and used in attacks where ransomware operators ensure critical files are encrypted, allowing them to demand sizeable sums of money. Recorded Ryuk ransomware requests are often six- or seven-figure sums.

How does this type of ransomware operate?

Ryuk is among the first of the ransomware families to add the ability to both encrypt and identify resources and network drives while deleting shadow copies of data at the endpoint. Effectively, this enables attackers to successfully disable the System Restore feature in Windows for users, so that it is impossible for enterprises to recover from the Ryuk ransomware attack unless they have rollback technology or external backups already in place.

Who was Ryuk’s creator?

Determining malware creators can be a complicated endeavour, but two experts at the Deloitte Argentina corporation, Luciano Martins and Gabriela Nicolao managed to attribute the Ryuk Ransomware to CryptoTech. The lesser-known group of cybercriminals was identified selling a type of ransomware known as Hermes 2.1 as early as 2017 on a dark web forum. According to the Deloitte Argentina researchers, Hermes 2.1 is an alternative name for Ryuk.

How is a Ryuk ransomware payload unleashed?

As with many other attacks involving malware, the attack vector is typically spam emails. These malicious messages are usually issued from spoofed addresses, so the sender’s name bypasses security protocols and doesn’t raise alerts.

A standard Ryuk ransomware attack starts when a victim opens an infected MS Office document that forms an attachment for a phishing email. When opened a malicious macro executes a PowerShell command that will then activate the download of a banking Trojan like Emotet. The banking Trojan can then download more malware onto the infected enterprise device that can retrieve and execute Trickbot, delivering a spyware payload. This insidious program collects credentials, enabling attackers to creep through all important assets linked to the company network. Sensitive assets are analysed for value and, if found to be useful, attackers may then decide to deploy the ransomware and start encrypting.

A robust security option at your fingertips

At Galaxkey, we have developed a secure platform offering enterprises a safe place to work. From powerful protection from secure email services to cutting-edge encryption that’s effortlessly easy for your staff to use, we supply firms looking for stronger security with a wide range of tools to operate safely. Contact our team today to book a demonstration.