New Cyber Defense Brand DeepSeas to Unite Newly Acquired Commercial Managed Threat Services Business from Booz Allen Hamilton with Security On-Demand. Learn More

Ryuk Ransomware is Making Hackers Millions

Ryuk Ransomware is Making Hackers Millions

The Ryuk ransomware launched on the hacking scene with a bang in August 2018, netting the hackers behind it upwards of $640,000 in the first round of attacks.  Since then Ryuk has continued to successfully exploit companies and organizations across the globe, resulting in over $3.6m in paid bitcoin ransoms according to Crowdstrike’s Global Threat Report. This makes Ryuk one of the most devastatingly successful ransomware outbreaks in history as its operator’s demand much more bitcoin than other ransomwares have historically. Comparatively, it is estimated that despite the estimated 300,000 computers infected by WannaCry in 2017, that attack only generated upwards of $120,000.  The success of Ryuk is likely to cause other ransomware operators to be far more aggressive in both their operations and ransom demands.

How does Ryuk spread?

Ryuk’s is often a 3rd stage malware that is installed after being initially infected by Emotet and Trickbot Trojans. Initially, a phishing email is delivered. The email is seeded with either a malicious attachment or hyperlink. When clicked, Emotet – a malware loader – is installed. It reaches out to a command and control host which then pushes and installs the Trickbot banking trojan. While not all infections of Emotet and Trickbot result in Ryuk ransomware being the 3rd stage malware, it does appear that most Ryuk infections are pushed via Trickbot.

Source: Barkly

Who is Behind it?

Early attribution initially tied Ryuk to the Lazarus Group (North Korea). This attribution was achieved due to code similarities with the Hermes malware which is exclusively used by the Lazarus group. However, subsequent, in-depth analysis of the malware find far more ties to eastern European countries and their known cybercrime elements, such as Cyrillic words in the code and references in the ransom messages to eastern European themes and political messages. More recent attacks suggest that there may now be more than one criminal group using the malware based on analysis of the attack infrastructure and targeted organizations.

Regardless of who in particular is behind it, it is clear that their strategy is different from most ransomware attacks. Ryuk targets organizations rather than going after random individuals in non-targeted attacks. By doing so, Ryuk’s operators are demanding huge sums of ransom money, in some cases asking for over $100,000 for decryption. This is how they have made so much money off the attacks.

Interestingly, the code developers behind the malware appear to be quite unsophisticated. There are numerous holes and code failure. In fact, in some cases, even after applying the decryption key, some data is unable to be restored due to shoddy programming. This just goes to show that not every attack and every piece of malware needs to be sophisticated.  It just needs to work.


There have been numerous victims of Ryuk and we will not get into all of them. However, we know it has heavily targeted data centers, media publishing, and even some utilities. In December 2018, multiple organizations were hit with Ryuk in a Christmas outbreak. Tribune publishing, owners of the L.A. Times and San Diego Union Tribune, was infected as well as Data Resolution – a larger cloud software and data center services company.

The attack against Data Resolution is arguably the far more damaging attack, even though Tribune Publishing received the media attention. Supporting over 30,000 companies worldwide, the attack could have compromised the data of all 30,000, though Data Resolution claims customer data is safe.

Prevention and Mitigation

Like most ransomware attacks, this spreads via phishing emails.  It is absolutely critical that all organizations have email security products in place and continually train their staff on how to detect and handle phishing emails.

One of the biggest challenges for preventing and detecting ransomware is the fact that once infected, victims will often know before their security operation center or information security teams discover it due to rapid encryption and locking of computer systems. Fortunately, Ryuk is the 3rd stage malware, so there is often time to detect and mitigate both the email attack and Emotet and Trickbot malware infections.  Often the Ryuk infection comes hours and even days or weeks after a successful Trickbot compromise. Thus, it is critically important to employ both security monitoring and detection as well as ensuring you keep your anti-virus and end-point protection solutions up-to-date.

If you get infected with Ryuk there is little you can do remove the malware and recover your files without paying the ransom.  We recommend that you have a Ransomware policy in place that will define and direct your response. Whether or not you should pay the ransom is a decision only your organization can make. You can make that decision easier if you keep regular and active backups of data and ensure those systems are protected from infection as well.  If you have backups in place, it may be in your interest to simply wipe infected boxes, rebuild them, and install the data from backups.

How We Protect our Customers

At Security On-Demand it is our philosophy that once you have been infected with Ransomware it is too late. You will likely know you are infected before we ever see it simply due to processing time – and this holds true with every SOC (internal or MSSP) out there.  Thus, we put the bulk of our efforts in what we call preventative detection. By monitoring for the circumstances that lead to a Ryuk infection, we enable our customers to take corrective action before the ransomware hits. We have both signature-based and behavioral-based detection rules and analytics looking for Emotet and Trickbot, as well as standard malware behaviors such as malware command and control (C2) beaconing, communicating with known C2 servers and devices, and analyzing abnormal data payloads being pushed to the infected system.

Security On-Demand also employs both manual and automated threat hunting.  Our hunting service is built on the premise that a breach has already occurred and we need to find it ASAP. This enables rapid detection and removal of Emotet and Trickbot infections that have skirted security defenses in place.


We should expect to see both continued Ryuk infections as well as copycat ransomware operations following the Ryuk model. The hackers behind this malware are not content with infecting individuals or households – there is limited money there. They want the big fish and are demanding exorbitant ransoms because they are exclusively targeting such organizations. The fact they have successfully received over $3m in the last six months demonstrates their model is successful. This is bad news for organizations across the globe and it is critical that you tighten your email security, training, and monitoring and detection capabilities.

About Security On-Demand

Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection services for hundreds of businesses and government agencies globally. SOD’s patented, behavioral-analytics ThreatWatch technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with international R&D offices and a Security Operation Center in Warsaw, Poland.


Brian Krebs
Ninja RMM