What Is the Ransomware “Ryuk” and How Can You Protect Yourself?

What Is the Ransomware “Ryuk” and How Can You Protect Yourself?

Don’t know what Ryuk ransomware is and where they are from? Don’t worry, Xact IT has some solutions on how to deal with particular ransomware, even if you’re unfortunate enough to be infected. Let’s dive into what they do, who their targets are, how they deliver and how you can protect yourself against this infectious ransomware!

What is Ryuk ransomware? So back in August of 2018, a ransomware family called Ryuk was first discovered in the wild. Ryuk has grown to become one of the most prolific ransomware groups. Ryuk is a type of ransomware used in targeted attacks where the threat actors make sure that the essential files and everything that they find on your network are encrypted and they ask for large amounts of ransom. A typical ransom demand from Ryuk can cost you a few hundred thousand dollars.

So how does Ryuk work? Ryuk is one of the first ransomware families to include the ability to identify and encrypt network drives and resources as well as delete shadow copies on the computers and endpoints. This means the attackers can disable the Windows System Restore for users, make it impossible to recover from an attack without your external backups or rollback technology. So, let's take a closer look at it.

Who created Ryuk? Malware attribution is difficult and Ryuk is thought at first to be North Koreans and then it evolved into that they were affiliated with Russian criminal cartels and security researchers had also linked them to Hermes Version 2.1 and to this day we don't really know who is behind Ryuk, but they tend to be all business and they tend to get the job done.

Who are their targets? Ryuk targets and tends to target high profile organizations where the attackers know they are likely to get paid for their steep ransom demands. Victims include Baltimore County Schools, mCore, UHS Hospitals, and several high profile newspapers. In 2019 it was estimated that Ryuk brought in $61 million because of their business model and their targeting of the high profile organizations.

So how is Ryuk delivered? As with many malware attacks, the delivery method is spam. You're clicking on links and things that you shouldn't, they're often sent from spoofed addresses, fake accounts. So there's no suspicion raised and you kind of just do things. A typical Ryuk infection starts off with somebody opening up a phishing email, usually containing a Microsoft Office document that then loads a macro and then all hell breaks loose and then we have the Emotet Trojan that gets downloaded and then that goes and retrieves a really nasty malware called TrickBot, which is basically the spyware. It then goes through and collects credentials and then assesses the network and does all this stuff. The chain attack concludes when the attackers execute Ryuk on each of these assets. So once your network has been breached, the attackers decide whether they think it's worth the effort to further explore and infiltrate the network, and if they have enough leverage to demand a large sum, then they will deploy the Ryuk ransomware.

How can you protect yourself against Ryuk? Look, this isn't easy. There aren't too many decrypters for the Ryuk ransomware out there, and when there are decrypters, they're quickly, quickly fixed or they change the decryption and you can no longer use previous decryption tools. One of the things you're going to want to do, because Ryuk spreads across the network, you basically have a couple options. Number one, you can go to your backups, if you have them. If you did a good enough job of setting up backups and you're disciplined about it and you have the ability to go back to those and restore from those, you're going to want to do that but you're not going to want to do that just yet, right?

So, your other option is and cyber security experts don't recommend this ever, but you might have to pay the ransom, depending on your situation. Experts would say consult with attorneys and cybersecurity professionals before you decide to pay the ransom to Ryuk because you might be breaking federal law by doing so. So just be careful and make sure you know what you're doing there before you decide to pay the ransom. That might be your only choice in this situation.

You might be wondering what if we have backups? If you're fortunate enough to have really good backups and you're dealing with Ryuk ransomware, you're going to want to make sure that you clean the systems. Now because Ryuk is wormable, it goes through the network and it can spread to other computers, and you don't know how they got there in the first place, you don't know how the malware got on the systems or what systems they got into, Emotet, TrickBot, other back doors could have been placed on your network for a second strike after you think you've recovered. So here's what you want to do. Whether you have backups or not, you're going to want to wipe all your systems, every single one of them. Isolate them from the internet, take them offline, do not allow these machines to be connected to the internet. Then you have two choices here. You can go buy all new equipment, which is absolutely a choice and something you might want to consider. It sounds crazy I know, but this is something that we have to do in incident response.

The second thing you need to do, wipe your systems. So wiping your systems the right way, by cleaning the drive. That's an option if you have Windows 10 or Windows 11, it's going to be called cleaning the drive, your most secure option, but it's going to wipe away everything. It’s what you want here because experts need to wipe away what the bad guys did. Yes, you're going to lose data. That's why we have backups.

Now you're going to wipe all the systems, you're going to clean all the drives, make sure you get rid of everything, fresh installs, you're going to start over. Once you start over, you can then start reinstalling software. Reinstall your software from known, trusted sources. With that being said the only thing you really want to restore from your backups is your data, so your pictures, your files, your documents. If you have databases and things like that, there are ways you can restore the data without restoring potentially other things that could be infected within that backup. So you need to be careful there, and Xact IT Solutions would highly recommend you consult with a cybersecurity professional before you start installing more or recovering more advanced applications but if we're just talking about pictures, files and documents, just move that back onto the new systems once you have them stood up.

In all, that is our best advice for you. That is how you deal with Ryuk right now, in 2022. Unfortunately, there isn't a whole lot you can do if you get hit by these guys. It's really up to you to stay protected, but if you do get Ryuk ransomware, those are your options for recovery. You can pay the ransom, you can recover from backups, or you can go move forward with encrypted files and just hope that one day, a decrypter is found for your version of the Ryuk ransomware and maybe in three to five years you can unencrypt your files if they're not that important to you but more than likely they're pretty important because these guys just don't hit consumers, they hit businesses and are out to get your business. So, make sure you're doing these things, watch our channel, make sure you like and subscribe. We'd love to hear if you’re experiencing this type of ransomware.