The Ryuk ransomware variant was first discovered “in the wild” in August 2018. Since then, it has grown in visibility to become one of the best-known and costliest ransomware variants in existence.
Unlike early ransomware variants such as WannaCry, Ryuk is designed to be extremely targeted. The design of the malware means that each victim must receive the individual attention of the cybercriminals operating the malware. As a result, Ryuk is used in targeted campaigns with highly tailored infection vectors and high ransom demands.
Ryuk is designed to be a targeted ransomware variant, meaning that it focuses on quality over quantity with its victims. A Ryuk infection begins with a very targeted attack to infect an intended victim, followed by file encryption and an extremely large ransom demand.
The operators behind the Ryuk ransomware take a targeted approach to selecting and infecting their victims. Rather than attempting to infect a large number of computers and asking a relatively small ransom (like WannaCry), campaigns using the Ryuk ransomware focus on a single organization and have an extremely high asking price for data recovery.
For this reason, Ryuk is commonly spread via very targeted means. These include the use of tailored spear phishing emails and exploitation of compromised credentials to remotely access systems via the Remote Desktop Protocol (RDP).
A spear phishing email may carry Ryuk directly or be the first in a series of malware infections. Emotet, TrickBot, and Ryuk are a common combination. With RDP, a cybercriminal can install and execute Ryuk directly on the target machine or leverage their access to reach and infect other, more valuable systems on the network.
Ryuk uses a combination of encryption algorithms, including a symmetric algorithm (AES-256) and an asymmetric one (RSA 4096). The ransomware encrypts a file with the symmetric algorithm and includes a copy of the symmetric encryption key encrypted with the RSA public key. Upon payment of the ransom, the Ryuk operator provides a copy of the corresponding RSA private key, enabling decryption of the symmetric encryption key and, using it, the encrypted files.
Ransomware poses a serious threat to the stability of an infected system if it encrypts the wrong files. For this reason, Ryuk deliberately avoids encrypting certain file types (including .exe and .dll) and files in certain folders on the system. While not a foolproof system, this decreases the probability that Ryuk will break an infected computer, making file retrieval more difficult or impossible even if a ransom is paid.
Ryuk is known as one of the most expensive ransomware variants, with average ransom demands reaching US$111,605 in the first quarter of 2020. Ryuk ransom notes contain an email address where victims can target the cybercriminals operating the ransomware to receive instructions on how to pay the ransom.
However, organizations that choose to pay the ransom might not always get what they paid for. Paying a ransom demand should result in the cybercriminal sending a decryption key and/or software capable of decrypting the victim’s files. In most cases, the cybercriminal will take the ransom without returning access to files.
However, even if the cybercriminals are acting in good faith, there is no guarantee that the organization will regain access to all its lost files. One version of the Ryuk ransomware decryptor had an error in the code that dropped the last byte when decrypting a large file. While in some file formats this last byte is just padding, in others it is critical to interpreting the file. As a result, a Ryuk victim should not necessarily expect to regain all their encrypted files even if they pay the ransom.
Falling victim to a Ryuk ransomware attack is extremely costly to an organization. The operators of the Ryuk ransomware put effort into developing a targeted spear phishing lure, and they demand a high ransom for their trouble. However, in some cases, even paying the ransom is not enough to regain a company’s access to sensitive or valuable data.
For this reason, it is far better to try to prevent a ransomware attack rather than react to it. If the Ryuk malware can be detected before encryption begins, the incident can be mitigated with minimal cost to the organization.
Deploying Check Point’s anti-ransomware solution can help an organization to defend against Ryuk and other ransomware variants. This tool monitors common ransomware behaviors, enabling it to detect even zero-day ransomware variants. Since legitimate programs do not exhibit the same behaviors, such as opening and encrypting large numbers of files, Check Point’s anti-ransomware solution can provide high-fidelity ransomware detection and minimize the damage and cost associated with an attempted Ryuk ransomware attack.