Since August 2018, the Ryuk ransomware has been causing serious challenges in the cybersecurity and corporate worlds. GRIM SPIDER, the criminal organization that’s probably behind this malicious device, has its focus on large businesses, demanding considerable ransoms in return for their data. So far, they have been considerably successful in their activities, collecting vast amounts of money, with profits exceeding US$3,000,000.00 (this only considering the discovered figures through their exposed BTC wallets).

But how does this enterprise-driven malware actually work? Is your business safe? What is the world of cybersecurity doing to mitigate this terrible threat?

At My IT Guy, we want to talk about Ryuk and its implications. Our team thinks it’s important for our community of readers and customers to know the threats lurking out there.

What is Ryuk?

As we mentioned before, Ryuk is an enterprise-driven malware that takes big businesses’ data as a hostage and demands significant ransoms in exchange. This ransomware threatens the victim, telling him that all data will be erased. Alongside the threat, details about how Ryuk destroyed the backups disks and shadow copies are shared in the ransom note.

The victim is told to not rename, move, copy, nor delete any of the infected files as everything may be lost irremediably. The same for restarting or shutting down the infected system.

This message descrived above comes in a text file named “RyukReadMe.txt”, which also contains the email address where the victim can contact the cybercriminal group for further instructions and the BTC wallet address. The latest versions of the message did no longer include the BTC wallet information.

Experts have found similarities between Ryuk’s ransom message with the one provided by BitPaymer malware in the past. However, it’s still unknown if this criminal group is taking any resources directly from BitPaymer. Instead, what the experts do know is that Ryuk is a derivation from Hermes malware.

This being said, how is the Ryuk ransomware being distributed so effectively? 

Several cybersecurity experts as CrowdStrike has conducted tests when responding to Ryuk infections. In the process, they have noticed TrickBot in the infected environment. Therefore, there are theories about Ryuk infecting victims through TrickBot, which is initially distributed via spam email and the Emotet geo-based download function. 

Ryuk Binaries

Experts have identified two different types of Ryuk binaries after conducting tests in infected environments. They are a dropper, which is really difficult to observe, and the executable payload of the ransomware. After the attack has been conducted, the executable payload proceeds to destroy the dropper, so the specialists have a hard time obtaining it for further observation.

However, it’s known that the dropper creates an installation folder path by calling “GetWindowsDirectoryW”. What happens next, at least in detail, will greatly depend on the victim’s Windows version.

How these binaries operate change constantly as Ryuk is under non-stop development by GRIM SPIDER. This makes difficult to be fully aware of how this ransomware operates. One thing experts have identified so far is that Ryuk is getting further away from Hermes’ source code. 

Ryuk’s Encryption Potential

The Ryuk ransomware is very aggressive in the way it encrypts the victim’s files. While many ransomware out there has an extensive whitelist in regards to what they decide to encrypt on the victim’s end, Ryuk only whitelists three file extensions: .exe, .dll, and .hrmlog. 

Experts concluded that these extensions are whitelisted to prevent destabilization of the system and allow victims to act (pay the ransom). Chrome and Mozilla folders are also whitelisted, presumably for the same reason described before.

The Bottom Line

Ryuk attacks constitute a true danger and businesses should be extra aware of its existence to avoid fall prey. Cybersecurity experts are trying to determine how exactly this piece of malware operates and where it is coming from. There are theories that argue that cybercriminals behind Ryuk may be based mainly in North Korea and Russia. While Hermes ransomware was developed by STARDUST CHOLLIMA, a North Korean cybercriminal group, there is additional evidence that points out GRIM SPIDER and Russia as relevant actors.

Regardless of how this ransomware operates and where it is coming from, it’s paramount for your company to implement the right security methods and keep the threat at bay. While basic methods (like smart spam filters) can achieve plenty, it’s necessary to go the extra mile by implementing advanced prevention tools that may detect and counter the threat on time.

At My IT Guy, our team of cybersecurity specialists can help your business to be safe against Ryuk ransomware and several other threats that continue to lure organizations of all sizes. If you want to know more about our solutions in cybersecurity, please get in contact with us.