Avast Academy Security Ransomware What Is Ryuk Ransomware?

What Is Ryuk Ransomware?

Ransomware infiltrates your device, encrypts your data, and holds your digital life hostage. Ryuk ransomware is like normal ransomware on steroids, deliberately hunting high-profile targets likely to pay big sums. Learn what Ryuk ransomware is, how it emerged, and how it spreads. Then get strong security software like Avast One to keep your devices safe.

Editors' choice
Top Rated
Written by Carly Burdova
Published on March 4, 2022

What is Ryuk ransomware?

Ryuk ransomware is a type of malware that hackers aim at high-value targets to infect systems and encrypt files until a ransom is paid. Named after a famous manga character in the movie Death Note, Ryuk ransomware attacks have hit businesses, governments, and public institutions like hospitals and schools.

Hamburguer menu icon

This Article Contains :

    Ryuk ransomware, like all ransomware, can have a devastating impact, especially on targeted entities with critical digital assets — hospitals relying on electronic files to provide accurate medication, or utility plants who remotely control water facilities.

    Recently, cybercriminals have doubled down on ruthless attacks, and vulnerable populations aren't off the table when it comes to a Ryuk attack. It’s unknown who is behind Ryuk ransomware, but most sources point to Wizard Spider, an underground network of cybercriminals based primarily in Russia.

    What's the history of Ryuk ransomware?

    Ryuk ransomware first appeared in August 2018 when it encrypted the files of hundreds of small municipalities, logistics enterprises, and technology firms around the world. While this was the Ryuk virus’s first public appearance under the name Ryuk ransomware, cybersecurity experts have linked the code structure to the Hermes ransomware strain, discovered in 2017.

    In 2021, Ryuk ransomware took a worrying turn, as a new variant emerged with capabilities like computer worms, which can spread between computers and systems without needing a human agent. This makes the attack chain faster and makes it easier for hackers to cause system-wide devastation.

    How did Ryuk emerge and how does it spread?

    Ryuk ransomware attacks often begin with phishing emails. Because they seek big payouts, Ryuk attackers often deploy spear phishing campaigns targeting people with access to enterprise-level software or systems.

    Hackers start by surveying high-value targets to determine if an attack is worth it. They attack by emailing victims harmless looking emails with malicious links attached. The attachment may look like a normal Word document, but when opened a type of Trojan malware (like Trickbot or Emotet) is unleashed.

    That initial malware is not actually ransomware. It’s what lets the attacker take over command and control of your machine so that it can deploy its ransomware payload later on. In the meantime, Ryuk spreads laterally within the network, infecting more and more victims.

    Lodged deep in a system, Ryuk hackers secretly collect admin credentials and identify domain controllers. That allows the eventual Ryuk ransomware attack to hit as widely as possible, ensuring a maximum attack surface when the ransomware payload is finally released.

    Ryuk ransomware encrypts a computer's files, data, and system access, making it impossible to retrieve information or gain entry to programs. It also breaks the Windows System Restore option, forcing victims to choose between losing data or paying the ransom. The attack is so abrupt and devastating that many choose to pay, resulting in some of the biggest ransomware attacks in recent memory.

    As a human-operated attack, the hackers behind Ryuk use manual hacking techniques to gain access and spread across networks. This attack chain pattern was observed in 2018, 2019, and 2020.

    Recent attacks indicate that Ryuk ransomware has evolved and can now spread without human interaction, like a more typical worm rather than a computer virus. Still, the initial data breach stems from classic social engineering tactics like phishing, spam, and spoofing.

    Ryuk ransomware attacks often begin with phishing emails, before spreading out to infect entire systems.Ryuk ransomware attacks often begin with phishing emails that can install Trojans or other malware. When enough computers are infected, the ransomware is released system-wide.

    To learn more about other strains of ransomware, check out our guides to Locky, Petya, Cerber, and Wannacry.

    Examples of Ryuk ransomware attacks

    Ryuk ransomware attacks follow a similar pattern. Large public or private entities are targeted and hit in a raid-like fashion. Ryuk attacks have been aimed at targets in the US, UK, Germany, Spain, France, and Australia.

    In early 2021, an analysis of Bitcoin transactions from known Ryuk addresses revealed that Ryuk hackers have scammed over $150 million in ransom payments. The most notable Ryuk ransomware attacks have hit municipalities, school systems, technology and energy companies, and hospitals.

    • December 2018: US media outlets using Tribune Publishing software were hit, including the LA Times and West Coast editions of The Wall Street Journal and the New York Times. The attacks apparently aimed at disabling infrastructure, rather than stealing data.

    • March 2019: Jackson County, Georgia had their entire municipal network taken offline, fortunately with the exception of emergency services. After consulting with cybersecurity experts, local officials decided to pay the negotiated ransom of $400,000.

    • June 2019: Two Florida cities, Riviera Beach and Lake City, were hit with Ryuk ransomware weeks apart from each other. The attacks impacted emergency services, water pump stations, and administrative systems. Both cities opted to pay the ransom to restore services ($600,000 and $460,000, respectively).

    • July 2019: La Porte County, Indiana was another municipality hit with a Ryuk ransomware attack in the summer of 2019. The group paid $130,000 to get their systems running normally again.

    • July 2019: New Bedford, Massachusetts had their IT system held ransom for an unprecedented $5.3 million. The city offered $400,000 to the hackers, which was rejected, and so the city decided to try to recover the data on their own.

    • December 2019: Over 700 Spanish government offices were simultaneously attacked by Ryuk ransomware, disrupting hundreds of thousands of citizen appointments and portal access to the State Public Employment Service.

    • January 2020: Electronic Warfare Associates (EWA), a well-known supplier of electronics to the United States Department of Defense, was hit with a Ryuk ransomware attack. The company tried to keep the data breach quiet, but the story broke when someone found encrypted files and ransom notes on the company's cached Google search results.

    • March 2020: The legal services firm Epiq Global saw 80 offices around the world hit by a Ryuk attack, blocking client access to critical legal documents. The company won't say if a ransom was paid.

    • September 2020: Over 250 medical facilities administered by Universal Health Services (UHS), one of the largest private healthcare providers in the US, were attacked, which forced patients to be rerouted to other emergency rooms and delayed test results and appointments. Recovering from the attack reportedly cost UHS $67 million.

    • November 2020: When K12 Inc., an online education platform serving over one million students, was attacked, Ryuk hackers gained access to large swaths of personal data and threatened to leak it. K12 confirmed an unspecified ransom payment was made to protect their students’ privacy.

    • November 2020: The Baltimore County Public School system, which serves over 115,000 students and has a $1.5 billion budget, was hit by Ryuk ransomware a few days before Thanksgiving Day, massively disrupting their remote educational services. Although no ransom was paid, recovery reportedly cost the school system nearly $10 million. This Ryuk ransomware 2020 attack highlights the risk of going digital without first properly securing vulnerable systems.

    • May 2021: When Norwegen energy tech firm Volue was attacked by Ryuk, system infrastructure for their water and wastewater facilities in over 200 Norwegian municipalities was impacted. This attack affected nearly 85% of the country's population.

    • June 2021: Liège, the third largest city in Belgium, witnessed a Ryuk ransomware attack on their IT network and services. It disrupted administrative services related to identity cards, passports, and appointments for marriages, births, and residency permits.

    How to protect yourself against Ryuk?

    As with most ransomware, Ryuk commonly gains access through poor IT practices such as insufficient staff training, weak passwords, a lack of effective firewalls, or other missing security infrastructure.

    Fixing these issues, implementing backups, setting up permissions-level access, and installing server security are the best steps toward preventing ransomware attacks.

    Education should not be underestimated to defend against Ryuk ransomware and other malware strains. All it takes is one slip up — clicking on a malicious link or opening an infected document — to bring down an entire system.

    Human error is inevitable, but sound digital hygiene along with a ransomware protection tool can stop ransomware before it encrypts your files and disables critical systems. Avast One features powerful anti-ransomware software supported by the world’s largest threat-detection network.

    How do I remove Ryuk?

    It's possible to remove ransomware from your PC and remove ransomware from your Mac. The first step, regardless of device, is to isolate the infected devices. Disconnect your device, including any network drives, external hard drives, cloud storage accounts, etc. Then run an antivirus scan to identify and remove the malware.

    Protect yourself against ransomware with Avast Antivirus

    The fallout from a ransomware attack is painful. But by following IT best practices and using strong ransomware protection software you can minimize the threat considerably.

    Avast One uses top of the line machine-learning malware protection that gets better everyday. Our team of cybersecurity experts constantly monitor the ransomware threatscape, updating our threat-detection network accordingly. Trusted by over 400 million users, Avast stops ransomware in its tracks.

    Get Avast One for iPhone to help block hackers and malware

    Free install

    Get Avast One for Android to help block hackers and malware

    Free install
    Carly Burdova