Ryuk Ransomware is Now More Dangerous Than Ever. Here’s Why


The feared Ryuk ransomware, which set organizations back by $150 million over the past three years, has acquired new capabilities that allow it to propagate across connected networks and systems, including those that are inactive or powered off.

French cybersecurity agency ANSSI has issued an alert about evolving capabilities in Ryuk ransomware that are making it difficult for enterprise security defenses to kill it or block its spread. The ransomware is now displaying worm-like capabilities that allow it to spread from an infected network to other networks or devices on its own.

Operated by WIZARD SPIDEROpens a new window , a Russia-based hacker group best known for creating the TrickBot banking malware, the original Ryuk ransomware first appeared on the scene in August 2018, operating primarily to target large organizations for a payday. It has since caused enough damage worldwide to earn the tag of the cyber world’s most fearsome ransomware.

According to ANSSI, Ryuk began demonstrating worm-like self-replicating capabilities in January this year. “The Ryuk variant analyzed in this document does have self-replication capabilities. The propagation is achieved by copying the executable on identified network shares. This step is followed by the creation of a scheduled task on the remote machine,” the agency saidOpens a new window .

“Ryuk looks for network shares on the victim IT infrastructure. To do so, some private IP ranges are scanned. For each identified host, Ryuk will attempt to mount possible network shares using SMB enumeration.”

What this entails is that hacker groups, such as WIZARD SPIDER and UNC1878 (also known as One group), can use Ryuk to spread their tentacles across each and every machine connected to an infected device over the Windows domain, provided Windows Remote Procedure Call (RPC) accesses are possible. RPC is a mechanism that supports communications between Windows clients as well as servers across a network or within a single system.

Aside from acquiring these new capabilities, the new Ryuk ransomware variant continues to hold on to all its previous capabilities, which allowed its operators to net $150 million in ransom payments over the past three years. According to a SonicWall estimate, Ryuk was behind a third (67.3 million) of all ransomware attacks in 2021.

Ryuk now requires no external support and can quickly enhance its reach across connected networks and systems. This bodes ill for organizations that are not prepared to take on these kinds of cyber threats. Considering that Ryuk’s operators didn’t even spare healthcare facilities amidst the global pandemic, attacks are certain to intensify.

See Also: NetWalker Takedown May Not Put an End to Ransomware Attacks

Worm-Like Features

As is the case with several other ransomware strains, the Ryuk payload is delivered via a malicious email attachment that executes the ransomware payload when opened. According to ANSSI, “TrickBot is the loader most responsible for the distribution of Ryuk. TrickBot can be distributed upstream via the Emotet malware-as-a-service. The Emotet-TrickBot-Ryuk and TrickBot-Ryuk chains of infection have therefore frequently been encountered, and persist at least until September 2020.”

Opens a new window

Sequence of the Emotet-TrickBot-Ryuk Infection Chain | Source: ANSSI

Once the new Ryuk variant infects a system, it self-propagates across all resources. Ryuk’s ability to automatically spread across connected systems is supported by the fact that it can now read and list all Address Resolution Protocol (ARP) tables and send a Wake-On-LAN packet to each host on the victim’s IT infrastructure. It performs this action by scanning and identifying network-sharing resources on these hosts, each with a different IP address, followed by encryption.

ARP contains all IP and MAC addresses of all network devices while Wake-on-LAN wakes up powered off computers on the same local area network (LAN) with a network message. So even those systems that are inactive or powered off can be targeted, thereby increasing the attack surface.

When a host is infected, the Ryuk payload kills 41 processes and 64 services, encrypts files, mounted devices, and remote hosts using a combination of RSA-2048 and AES-256 encryption. The infiltration is followed by a ransom note through which the attackers demand a payment (usually Bitcoin) in exchange for the decryptor.

Opens a new window

Ryuk Ransom Note | Source: CrowdStrike

The ransom note is either a text file named RyukReadMe.txt or an HTML file named RyukReadMe.html. What’s worse is that this specific variant of Ryuk can infect a system repeatedly as it lacks any exclusion mechanism like Mutual Exclusion Objects (MUTEX), thus making the disinfection process extremely difficult.


ANSSI laid out some containment measures against the self-replicating capabilities but clarified that “none of these methods could restrain the encryption of an already infected machine.”

Self-propagating Ryuk can be halted by changing the user account’s password by disabling the user account, followed by performing a double KRBTGT domain password change. KRBTGT is a component of Active Directory used to authenticate and encrypt Kerberos tickets, leveraged for secure communication between two or more trusted hosts across an untrusted network.

The ransomware is not known to exfiltrate data in line with the popular double-attack extortion method. However, exfiltration of internal reconnaissance data from the Active Directory by any means other than using the Ryuk ransomware can be performed by attackers for lateral movement and privilege escalation.

Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!