The Ryuk ransomware variant was first spotted “in the wild” in August 2018. Since then, it has become one of the most popular and expensive ransomware options. Unlike previous ransomware variants like WannaCry, Ryuk is highly targeted.
The design of the malware means that each victim must receive individual attention from the cybercriminal using the malware. As a result, Ryuk is used for highly customized infection vectors and targeted campaigns with high payment requirements.
How Does Ryuk Ransomware Work?
Ryuk is designed to be a targeted version of ransomware. In other words, it focuses on the quality rather than the quantity of the victim. Ryuk infection starts with a highly targeted attack to infect a targeted victim, followed by file encryption and very large ransom demands.
#1. Infection
The operators behind the Ryuk ransomware take a targeted approach to selecting and infecting their victims. Instead of attempting to infect large numbers of computers and demand a relatively small ransom (like WannaCry), campaigns using Ryuk ransomware target a single organization and come at an extremely high price for data recovery.
For this reason, Ryuk is often distributed through highly targeted means. These include the use of personalized spear phishing emails and the abuse of compromised credentials to access systems remotely via the Remote Desktop Protocol (RDP).
A spear phishing email can either directly transfer Ryuk or be the first of a series of malware infections. Emotet, TrickBot, and Ryuk are a common combination. With RDP, a cybercriminal can install and run Ryuk directly on the target computer or use their own login to reach and infect other more valuable systems on the network.
#2. Encryption
Ryuk uses a combination of encryption algorithms, including a symmetric algorithm (AES-256) and an asymmetric algorithm (RSA 4096). The ransomware encrypts a file using the symmetric algorithm and includes a copy of the symmetric encryption key encrypted with the RSA public key. After paying the ransom, the Ryuk operator provides a copy of the corresponding RSA private key, which allows the symmetric encryption key and thus the encrypted files to be decrypted.
Ransomware poses a serious threat to the stability of an infected system when it encrypts the wrong files. For this reason, Ryuk deliberately avoids encrypting certain file types (including .exe and .dll) and files in certain system folders. While not a foolproof system, this reduces the chances of Ryuk breaking an infected computer, making file recovery more difficult or impossible even if a ransom is paid.
#3. Ransom
Ryuk is known as one of the most expensive ransomware variants, with average ransom demands reaching $111,605 in Q1 2020. Ryuk’s ransom notes include an email address that victims can use to contact cybercriminals exploiting the ransomware for instructions on how to pay the hostage.
However, organizations that choose to pay the ransom may not always get what they paid for. Paying a ransom note should result in the cybercriminal sending a decryption key and/or software capable of decrypting the victim’s files. In most cases, the cybercriminal takes the ransom without giving back access to the files. But even if the cybercriminals act in good faith, there is no guarantee that the organization will regain access to all of its lost files. One version of the Ryuk ransomware decryptor had an error in the code that dropped the last byte when decrypting a large file. While in some file formats this last byte is just a pad, in others it is critical to interpreting the file. As a result, a Ryuk victim shouldn’t necessarily expect to get all his encrypted files back, even if he pays the ransom.