FANDOM


Ryuk is a ransomware that made over $640,000 worth of Bitcoin. Ryuk may be the work of the same people who developed the Hermes ransomware.

On July 6th, 2019, Ryuk attacked a county located in Indiana called La Porte. It ended with them paying $130,000 to recover data on computer systems impacted by Ryuk.

Behavior

Unlike most other viruses, this malware does not rename or append any extension to encrypted files.

Payload

Transmission

Ryuk spreads via targeted attacks, with the Ryuk crew targeting selected companies one at a time, either via spear-phishing emails or Internet-exposed and poorly secured RDP connections.

Infection

It creates a text file ("RyukReadMe.txt"), placing a copy in every existing folder. The new text file delivers a message that informs victims of the encryption and encourages them to pay a ransom to restore their data. Ryuk uses RSA-4096 and AES-256 encryption algorithms. Therefore, each victim receives several unique keys that are necessary to restore data. Cyber criminals hide all keys on a remote server. Restoring data without these keys is impossible, and each victim is forced to pay a ransom in exchange for their release.

Text presented in RYUK ransomware text file ("RyukReadMe.txt"):

Gentlemen!
 
 Your business is at serious risk.
 There is a significant hole in the security system of your company. 
 We've easily penetrated your network.
 You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks.
 They can damage all your important data just for fun.
 
 Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256.
 No one can help you to restore files without our special decoder. 
 
 Photorec, RannohDecryptor etc. repair tools 
 are useless and can destroy your files irreversibly.
 
 If you want to restore your files write to emails (contacts are at the bottom of the sheet) 
 and attach 2-3 encrypted files 
 (Less than 5 Mb each, non-archived and your files should not contain valuable information
 (Databases, backups, large excel sheets, etc.)). 
 You will receive decrypted samples and our conditions how to get the decoder.
 Please don't forget to write the name of your company in the subject of your e-mail.
 
 You have to pay for decryption in Bitcoins. 
 The final price depends on how fast you write to us. 
 Every day of delay will cost you additional +0.5 BTC
 Nothing personal just business
 
 As soon as we get bitcoins you'll get all your decrypted data back.
 Moreover you will get instructions how to close the hole in security 
 and how to avoid such problems in the future
 + we will recommend you special software that makes the most problems to hackers.
 
 Attention! One more time !
 
 Do not rename encrypted files.
 Do not try to decrypt your data using third party software.
 
 P.S. Remember, we are not scammers. 
 We don`t need your files and your information. 
 But after 2 weeks all your files and keys will be deleted automatically.
 Just send a request immediately after infection. 
 All data will be restored absolutely. 
 Your warranty - decrypted samples.
 
 contact emails
 eliasmarco@tutanota.com
 or
 CamdenScott@protonmail.com
 
 BTC wallet:
 15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj
 
 Ryuk
 
 No system is safe

Variant

On June 18th, 2019, A new variant of the Ryuk Ransomware has been discovered that adds IP address and computer blacklisting so that matching computers will not be encrypted. If the computer passes these checks, then it will encrypt the computer as usual and append the .RYKextension to encrypted files.

While encrypting files, it will also create RyukReadMe.html ransom notes that contain the phrase "balance of shadow universe" and email addresses that can be contacted for payment instructions.

It is not known what the "balance of shadow universe" means.

The email addresses that are currently being used in the ransom notes are sorcinacin@protonmail.com and neyhyretim@protonmail.com.

Origin

It's origin is currently unknown. It is believed to be from the Lazarus Group, a group from North Korea.

Community content is available under CC-BY-SA unless otherwise noted.