How Does Ryuk Ransomware Work? An Explainer

Ryuk ransomware is a highly aggressive and widespread type of malware that first appeared in 2018 when it began attacking large, high-profile institutions running on Microsoft Windows operating systems. Although it was initially suspected to have originated in North Korea, Ryuk is now widely believed to have come from hacker groups operating in Russia or one of the former Soviet satellite states. According to Security Magazine, Ryuk ransomware was responsible for one-third of all ransomware attacks in 2020.

How does Ryuk ransomware work?

Once Ryuk ransomware infects its target, it uses encryption to hold data hostage until a substantial ransom is paid generally in bitcoin or another type of cryptocurrency. Ryuk is a lucrative form of ransomware, typically attacking large organizations in possession of highly sensitive confidential data, like health records and financial data. These organizations generally have the financial resources to pay these bad actors a large ransom payment, which are often six figures or more. Healthcare providers, school systems, local governments, and other mostly public sector organizations running on outdated or unpatched operating systems were common Ryuk targets.

Ryuk ransomware typically gains entry to the targeted organization with a phishing email advising the recipient to download a Microsoft Office document riddled with malware or click a link leading to a malicious site. A common infection chain can involve a malicious download which deploys a banking trojan, such as Emotet, which serves as a dropper for the Trickbot malware. Once Trickbot breaches the system and steals sensitive data, Ryuk ransomware then installs itself to encrypt the data.

Like many forms of malware, Ryuk is an evolving threat, becoming more destructive with each variant. In 2021 a Ryuk variant with worm-like capabilities was discovered, enabling it to automatically infect all Windows-powered devices across an entire network without having to use another form of malware as a dropper.

Notable Ryuk ransomware attacks

The fallout from Ryuk ransomware attacks has been catastrophic. The FBI estimates that bad actors deploying Ryuk ransomware made off with over $61 million in ransom payments in a 21-month period spanning 2018 and 2019. Plus, the damage to just one targeted organization alone can easily reach tens of millions of dollars. For example, Universal Health Services (UHS), a large healthcare provider operating over 400 hospitals reported $67 million in lost revenue following a September 2020 attack which knocked the company-wide network offline.

In addition to financial damages, the attacks halted essential public services. A prime example entails a November, 2020 attack on the Baltimore County’s school system disrupted remote learning for 115,000 students amid the COVID-19 pandemic by forcing schools to shut down for three days.

One of the most prominent Ryuk ransomware attacks involved a targeted hit on major newspapers owned and formerly owned by Tribune Publishing, including the Los Angeles Times and the San-Diego Tribune, and the South Florida Sun Sentinel in December, 2018. The attack disrupted production of several large market daily newspapers and even took the Sun Sentinel’s phone lines out of commission.

Safeguarding your data

Although Ryuk ransomware is exceptionally effective and destructive, organizations who fell victim to it could have been more proactive by implementing company-wide security awareness training, regularly checking and/or installing the latest security updates and following other cybersecurity best practices. Get in touch with SiteLock to learn more about ransomware and how to protect your organization against the next widespread ransomware attack, and other cyberthreats.