Ryuk Ransomware

Intro: Ryuk ransomware

Ryuk is an advanced ransomware threat that targets enterprises and other large organizations in order to extort large amounts of money. Since 2018, Ryuk ransomware has successfully compromised schools, hospitals, businesses and other organizations.

This article will cover what Ryuk ransomware is in depth, who Ryuk ransomware attacks and targets, and address other common questions about Ryuk ransomware. It’s important for organizations of all sizes to understand the cyber threats of the modern era, and how cybersecurity services like Mimecast can help mitigate risk and damage of ransomware attacks. We are all potential targets for Ryuk ransomware attacks, but nobody has to face cybersecurity threats alone.

Mimecast is dedicated to bringing every organization in the enterprise community together to protect against ransomware attacks. Our mission is to provide your organization with services that enable you to continue your operations efficiently and securely, while also empowering everyone on your team to be able to properly identify, avoid, and report potential cyberthreats.

What is Ryuk ransomware?

Ryuk ransomware is a type of human-operated ransomware that has been known to target large, Microsoft Windows cybersystems. Because it is human-operated, it can fly under the radar of many basic security protocols and quickly infect an organization’s network.

 After successfully infiltrating the private network of the targeted organization, the virus is deployed covertly and it quickly encrypts files and other sensitive data, demanding a ransom in order to unlock access to them.

Ryuk infects organizations via phishing campaigns, luring victims with links or documents that contain malware. Once someone in the network opens or downloads the malware, the Ryuk virus starts to encrypt files on the infected systems. This prevents regular users from accessing their own files and, in order to regain access, they are prompted to pay a ransom, usually in a difficult-to-trace currency such as Bitcoin.

Who does Ryuk ransomware target?

Ryuk ransomware targets large organizations, namely hospitals, businesses, and government institutions who use Windows cybersystems and have critical assets, such as confidential data of students, patients, employees, and customers.

The creators of Ryuk typically follow a “big game hunting” approach, which means they target organizations that can afford to pay a big ransom.

Ryuk ransomware FAQs

The following are some frequently asked questions about Ryuk ransomware. If you have additional questions or need an immediate response to an active Ryuk threat, feel free to contact us.

Why is it called Ryuk ransomware?

The name Ryuk (pronounced Ree-yook) originally comes from a Japanese manga character from the series Death Note. The character Ryuk is a supernatural creature who drops a note into the human world. The note is picked up by Light Yagami, the human protagonist, who by discovering the note unlocks a dark power and sets his sights on chaotically changing the world. Yagami intends to do good things and targets criminal organizations who are powerless against his supernatural powers bestowed upon him from Ryuk.

Ryuk ransomware operates similarly in that the cyberattack begins when victims access the malware by clicking on links and/or downloading files that contain malware. However, in real life, the Ryuk ransomware is deployed by criminals who extort enterprises and public entities.

How does Ryuk work?

• Ryuk works by encrypting files on infected systems. Unlike other types of ransomwares, Ryuk is human-operated, which makes it harder to detect autonomously. The cyberattackers who operate Ryuk interact in such a way that appears to be normal activity to basic security systems. 
  
  Ryuk deploys a phishing campaign. This may entail sending emails to users that contain malware via links and/or attachments. Victims may also discover and download malware from browsing the internet or while trying to connect to what looks to be a normal WiFi network.
  
  
• When the victim clicks the link or opens the attachment, the payload (cargo of data used to maliciously interact with the victim’s computer) is deployed to the user’s computer. To an untrained eye, the payload downloads look very similar to usual windows files.
  
  
• From here, computer malware designed to steal credentials,are deployed, often by a malware called Trickbot. In some cases, Ryuk is delivered via RDP or exploit, making it a fully human-operated attack. Ryuk can use lateral movement, meaning it can move from device to device within the network. As it steals credentials such as passwords and FTP credentials, its activity will not appear unusual to most network security monitors.
  
  This process is carried out by human operators who covertly look for weaknesses to exploit, such as intentionally disabled virus protection, weak domain credentials, and/or non-randomized local admin passwords.
  
  
• Once Ryuk bypasses network security, it launches its file encryption, which makes files inaccessible to users in the network. It also disables Windows restore, so that the victim cannot recover compromised files.
  
  
• The encrypted files will keep their names but have a new extension, .RYK indicating that they have been encrypted by the Ryuk virus. The victim will see a text prompt asking for payment in exchange for decrypting the files.

What happens in a Ryuk ransomware attack?

During a Ryuk attack, all files, including documents, images, videos, etc. are encrypted, and they will keep their original names with an .RYK extension added to them. Ryuk can also identify and encrypt network drives, making their files and programs inaccessible. Furthermore, Ryuk will delete shadow copies, making it impossible to recover the compromised data without proper external backups in place.

How can I protect myself against Ryuk ransomware?

Here are some basic tips you can follow to protect against Ryuk ransomware: 

• Use a trusted security tool: Advanced email security tools like Mimecast can help prevent some Ryuk ransomware attacks. Mimecast’s industry-leading email security service is trusted by 40,000 organizations globally thanks to unique, user-friendly features. For example, Mimecast can not only detect suspicious links, but prevent users in your organization from clicking on them.
  
  
• Contain and remediate successful email-based attacks: with Mimecast’s Internal Email Protection capabilities that can be used to search and destroy malicious emails in users’ inboxes. Our continuity services can also keep an organization’s email channel in operation during a successful attack.
  
  
• Making it fast and easy for organizations to connect and optimize their security ecosystems: The Mimecast Tech Exchange provides an extensible architecture that helps organizations strengthen protections, speed detection, and accelerate response.
  
  
• Require multi-factor authentication: Multi-factor authentication makes it extremely difficult for cyberattackers to remotely gain access to your organization’s internal network.
  
  
• Security awareness training: One of the most common ways cyber attackers successfully infiltrate organizations is with phishing campaigns that bait individuals into clicking on links or downloading files that contain malware. Mimecast Awareness Training and CyberGraph warning banners give employees the knowledge necessary to detect and avoid a wide variety of attack types that can open the door to ransomware.
  
  We’re all in the fight against cyberattacks together, and Mimecast’s Awareness Training aims to empower everyone to be able to do their part to keep themselves and their organization safe. Most of that empowerment comes from learning how to identify potential threats, how to comply with basic security protocol, and how to come together to as a community that values safety. We also find that laughter helps with learning, so your team might get a good chuckle from watching our training videos along with great tips on how to protect your organization.
  
  
• Archive to protect business data: It’s not always practical to backup all of your data on a physical external device, such as an external hard drive. Imagine being able to store everything in a secure digital vault. That’s precisely what Mimecast’s cloud-based cybersecurity service offers. Our Sync & Recover capabilities can help accelerate a return to normal operations by providing point-in-time restoration of email inboxes.

How to protect your business from Ryuk ransomware

Ryuk ransomware is a cybersecurity threat that’s not to be taken lightly, but with the proper safety protocols in place, your organization will more likely be able to avoid a Ryuk attack.

For the beginning of 2021, Ryuk activity was relatively quiet, but has since increased in activity. A newer yet similar ransomware, Conti, is becoming more prevalent. Some speculate Conti will soon replace Ryuk as a preferred ransomware for cyberattackers use.   

If there’s one thing to know about defending against Ryuk or any sort of ransomware attack, it’s that cyber attackers prey on organizations that have obvious weaknesses, namely a lack of active security and/or employees who lack security awareness training. Simply having robust security protocols in place shows that your organization means business when it comes to protecting your data, employees, and customers.

With Mimecast’s security programs, we are committed to fighting back against scammers and cybercriminals together. To understand how Mimecast’s digital security services can help your business, get a demo on Ryuk ransomware protection.