Ryuk (ransomware)

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin.[1] Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.[2]


Ryuk ransomware first appeared in 2018.[1] Although initially suspected to be of North Korean origin, Ryuk has more recently been suspected of being devised by two or more Russian criminal cartels.[1][2] Unlike many other malicious computer hackers, the Ryuk criminal group primarily seeks to extort ransom payments to release the data its malware has made useless by encryption. As a cybersecurity threat analyst said to the Baltimore Sun following an attack on the Baltimore County (Maryland) school system in November, 2020, the Ryuk criminal group "tends to be all business ... they just like to get the job done": to extort a large ransom payoff.[3]

How it works[edit]

In the UK, the National Cyber Security Centre notes that Ryuk uses Trickbot computer malware to install itself, once access is gained to a network's servers. It has the capability to defeat many anti-malware countermeasures that may be present and can completely disable a computer network. It can even seek out and disable backup files if kept on shared servers.[4] Emotet is also used by Ryuk hackers to gain access to computers as the initial loader or "Trojan horse".[5][6]

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) website provides detailed information on how Ryuk infects and takes control of a computer network, saying that access may be initially gained by: "... phishing campaigns that contain either links to malicious websites that host the malware or attachments with the malware. Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control server and install it on the victim’s machine".[7] The phishing efforts generally contain malicious documents (or hyperlinks to them).[8] When the victim enables it, a malicious macro or loader starts the infection sequence.[7]

Once Ryuk takes control of a system, it encrypts the stored data, making it impossible for users to access unless a ransom is paid by the victim in untraceable bitcoin. In many cases, days or weeks may elapse between the time hackers initially gain access to a system before the massive encryption occurs, as the criminals penetrate deeper into the network to inflict maximum damage.[9] Ryuk is an especially pernicious type of malware because it also finds and encrypts network drives and resources. It also disables the System Restore feature of Microsoft Windows that would otherwise allow restoring the computer's system files, applications, and Windows Registry to their previous, unencrypted state.[6][8]

To combat these ransomware attacks, the U.S. Cyber Command initiated a counter-attack in September, 2020, to disconnect Trickbot from internet servers. Shortly thereafter, Microsoft invoked trademark law to disrupt a Ryuk botnet.[10]

Ransomware victims[edit]

Ryuk targets large organizations with the ability to pay significant sums of money to regain access to their valuable data. All told, more than $61 million in ransom was paid due to Ryuk malware attacks in 2018–2019, according to the FBI.[11] In December, 2018, a Ryuk-based attack affected publication of the Los Angeles Times and newspapers across the country using Tribune Publishing software.[12] Printing of the Fort Lauderdale Sun Sentinel in Florida was halted and even the newspaper's telephones did not work.[13] On 20 October, 2020, an information technology consulting company based in Paris, Sopra Steria, itself suffered a Ryuk ransomware attack.[14] The cybercriminals encrypted the company's data using a variant of Ryuk, making it inaccessible unless a ransom is paid. The attack will cost the company $47–59 million, it estimated.[15] In the wake of the attack, Ryuk was described as "one of the most dangerous ransomware groups that operate through phishing campaigns".[14]

Between 2019–2020, U.S. hospitals in California, New York, and Oregon, as well as in the UK and Germany, have been affected by Ryuk malware, resulting in difficulties with accessing patient records and even impairing critical care. Doctors at affected hospitals have resorted to writing paper instructions, instead of using their inoperable computers.[16][17] In the U.S., a joint statement was issued on October 29, 2020, by three Federal government agencies, the FBI, CISA, and the Department of Health and Human Services, warning that hospitals should anticipate an " 'increased and imminent' wave of ransomware cyberattacks that could compromise patient care and expose personal information", likely from Ryuk attacks.[16] More than a dozen U.S. hospitals were hit by Ryuk attacks in late 2020, shutting down access to patient records and even disrupting chemotherapy treatments for cancer sufferers.[11]

Also targeted are vulnerable public-sector entities often using older software and not following best protocols for computer security. Lake City, Florida, for example, paid $460,000 in ransom after one of its employees opened an email containing a variant of Ryuk malware in June, 2019.[18]

The ransomware has been used to attack dozens of U.S. school systems, which are often deficient in cybersecurity.[19] Since 2019, more than a thousand schools have been victimized. Sometimes the resulting impairment takes weeks to repair.[9] In 2020, schools from Havre, Montana, to Baltimore County, Maryland, have experienced Ryuk ransomware attacks. Ransom demanded by the perpetrators has ranged from $100,000 to $377,000 or more.[20] Online education provider K12 was attacked by Ryuk ransomware criminals in November, 2020, rendering some of K12's records inaccessible and leading to the threatened release of students' personal information. The Virginia-based firm paid an undisclosed ransom amount, saying, "Based on the specific characteristics of the case, and the guidance we have received about the attack and the threat actor, we believe the payment was a reasonable measure to take in order to prevent misuse of any information the attacker obtained".[21]

The large Baltimore County Public Schools system in Maryland, serving 115,000 students and having a budget of $1.5 billion, had to suspend all classes after problems were experienced with its computer network beginning on November 24, 2020, reportedly due to Ryuk. The system's crash first manifested itself when teachers attempting to enter students' grades found themselves locked out and noticed Ryuk file extensions. County school officials characterized it as "a catastrophic attack on our technology system" and said it could be weeks before recovery is complete.[22] The school system's director of information technology said, “This is a ransomware attack which encrypts data as it sits and does not access or remove it from our system".[19] Prior to the crippling malware attack, state auditors from the Maryland Office of Legislative Audits performed a periodic audit of the Baltimore County School System's computer network in 2019. They found several vulnerabilities in the system, such as insufficient monitoring of security activities, publicly accessible servers not isolated from the school system's internal network, and a lack of "intrusion detection ... for untrusted traffic".[23][24] Avi Rubin, Technical Director of the Information Security Institute at Johns Hopkins University, said the auditors' discovery of "computers that were running on the internal network with no intrusion detection capabilities" was of particular concern.[25] Although the final report by the Maryland Office of Legislative Audits was released on November 19, 2020, the auditors initially warned the school system of its findings in October, 2019.[23]

Ryuk's reach is global, hitting councils and government agencies across the globe. One such attack landed on the City of Onkaparinga, South Australia. In December 2019, the Ryuk virus took hold of the city's IT infrastructure. The attack left hundreds of employees in limbo as the cities IT department worked on reinstating operations. Each time backups were reinstated the Ryuk virus would start the process of attacking the system all over again. The attack continued for four days before the IT team were able to contain the virus and reinstate the necessary backups.[26][27]

In early 2021, a new strain of the Ryuk ransomware was discovered that features worm-like capabilities that can lead to it self-propagating and being distributed to other devices on the local database it is infiltrating.[28][29]

See also[edit]


  1. ^ a b c Constantin, Lucian (May 12, 2020). "Ryuk ransomware explained: A targeted, devastatingly effective attack". CSO Online. International Data Group. Retrieved November 27, 2020.
  2. ^ a b Brewster, Thomas (February 20, 2019). "Mistaken For North Koreans, The 'Ryuk' Ransomware Hackers Are Making Millions". Forbes. Retrieved November 30, 2020.
  3. ^ Bowie, Liz; Knezevich, Alison (November 27, 2020). "Ransomware attack cripples Baltimore County Public Schools". The Baltimore Sun. Retrieved November 27, 2020.
  4. ^ "Ryuk ransomware targeting organisations globally". National Cyber Security Centre. June 21, 2019.
  5. ^ "North Korean APT(?) and recent Ryuk Ransomware attacks". Kryptos Logic. January 10, 2019. Retrieved December 1, 2020.
  6. ^ a b Kujawa, Adam (January 8, 2019). "Ryuk ransomware attacks businesses over the holidays". Malwarebytes.com. Retrieved December 10, 2020.
  7. ^ a b "Ransomware Activity Targeting the Healthcare and Public Health Sector". Cybersecurity and Infrastructure Security Agency. November 2, 2020. Retrieved November 27, 2020.
  8. ^ a b "Ryuk evolves into one of the most devastating ransomware threats". Rangeforce.com. Retrieved December 10, 2020.
  9. ^ a b Collins, David (November 26, 2020). "BCPS IT officials trying to undo damage caused by ransomware cyberattack". Baltimore, Md.: WBAL-TV. Retrieved November 28, 2020.
  10. ^ "Microsoft Uses Trademark Law to Disrupt Trickbot Botnet". Krebs on Security. Retrieved December 1, 2020.
  11. ^ a b Barry, Ellen; Perlroth, Nicole (November 27, 2020). "Patients of a Vermont Hospital Are Left 'in the Dark' After a Cyberattack". New York Times. Retrieved November 28, 2020.(subscription required)
  12. ^ Sanger, David E.; Perlroth, Nicole (December 30, 2018). "Cyberattack Disrupts Printing of Major Newspapers". New York Times. Retrieved November 28, 2020.(subscription required)
  13. ^ Olmeda, Rafael (December 29, 2018). "Computer virus freezes South Florida Sun Sentinel". Retrieved November 28, 2020.
  14. ^ a b "Sopra Steria falls victim to Ryuk Ransomware". SecureReading. 23 October 2020. Retrieved 4 December 2020.
  15. ^ "Ransomware Attack Will Costs French IT Services $60 Million". TechStreetnow. November 26, 2020. Retrieved December 4, 2020.
  16. ^ a b Joy, Kevin (October 29, 2020). "What Hospitals Should Know About the Ryuk Ransomware Threat". HealthTech. Retrieved November 27, 2020.
  17. ^ "US hospitals brace for flood of Ryuk". Techhq. October 30, 2020. Retrieved November 27, 2020.
  18. ^ Mazzei, Patricia (June 27, 2019). "Another Hacked Florida City Pays a Ransom, This Time for $460,000". New York Times. Retrieved November 28, 2020.(subscription required)
  19. ^ a b Paybarah, Azi (November 29, 2020). "Ransomware Attack Closes Baltimore County Public Schools". New York Times. Retrieved December 2, 2020.
  20. ^ Dragu, Paul (February 10, 2020). "Ransomware cripples Havre Public Schools computer system". Havre Herald. Retrieved November 29, 2020.
  21. ^ Abrams, Lawrence (December 2, 2020). "K12 online schooling giant pays Ryuk ransomware to stop data leak". BleepingComputer. Retrieved December 4, 2020.
  22. ^ Bowie, Liz; Knezevich, Alison (November 27, 2020). "Experts say restoring Baltimore County school network may take weeks, with classes potentially back in days". The Baltimore Sun. Retrieved November 27, 2020.
  23. ^ a b Simpson, Amy (November 30, 2020). "State auditor: BCPS informed of network concerns in October 2019". WBFF. Retrieved December 3, 2020.
  24. ^ Knezevich, Alison (November 26, 2020). "Audit found 'significant risks' in Baltimore County schools' computer network". The Baltimore Sun. Retrieved November 28, 2020.(subscription required)
  25. ^ Collins, David (November 27, 2020). "Auditors found significant risks in BCPS network before ransomware cyberattack". Baltimore, Md.: WBAL-TV. Retrieved December 2, 2020.
  26. ^ "Surviving a shocking ransomware attack Lessons from the City of Onkaparinga". www.compnow.com.au/. www.compnow.com.au. Retrieved 19 April 2021.
  27. ^ "Suspected Ryuk ransomware attack locks down Adelaide's City of Onkaparinga council". www.abc.net.au. Australian Broadcasting Commission. 6 January 2020. Retrieved 19 April 2021.
  28. ^ ArcTitan (2021-03-09). "Caution Advised as all Devices on the Network Can be Automatically Infected by Ryuk Ransomware". ArcTitan. Retrieved 2021-03-09.
  29. ^ "Subscribe to read | Financial Times". www.ft.com. Retrieved 2021-03-09. Cite uses generic title (help)