Ryuk is a common and dangerous strain of crypto-ransomware that uses encryption to block access to a system, device or file until ransom has been paid to the attacker. Ryuk ransomware attack has been attributed to a cybercriminal group known as CryptoTech. In its encryption process, Ryuk specifically targets backups - making recovery from a Ryuk attack especially difficult. Systems are typically infected with Ryuk ransomware by other malware variants such as TrickBot or Emotet or by gaining access to a system via Remote Desktop Services. Ryuk is typically the last piece of malware dropped in an infection cycle. Ryuk ransomware is different than Hermes ransomware but is derived from the Hermes source code. Post Ryuk virus hijacking the system, the Ryuk ransom note is written to a file named RyukReadMe.txt. The body of the template is static with the exception of the email address and the Bitcoin (BTC) wallet address.
The Ryuk ransomware is one of the latest ransomware variants to be released onto the web. As with most malware, there has been an increase in attacks over the past few weeks and this includes new ransomware like Ryuk. This article will provide you with all of the information necessary to understand what this malware is, where it came from and how you can protect yourself against it.
What exactly is Ryuk Ransomware?
Ryuk ransomware is a file-encrypting malware program that has recently been released online, via dark web forums, by an anonymous hacker or group of hackers who are simply identified by their 'handle' which is Dark Mage . These individuals have claimed responsibility for creating the source code of Ryuk but it is unclear whether they are also responsible for infecting systems with this ransomware. What's more, this threat was specifically created to target gamers and fans of computer-based multiplayer games . It encrypts files on an infected computer system making them completely inaccessible until the decryption process is completed successfully. Once your personal files are encrypted using Ryuk ransomware you will be presented with a ransom note informing you of what has happened to your files and how you can go about retrieving them. The ransom note will include instructions on how to pay the Bitcoin fee which you must do if you want to recover your files. In addition, the ransom note will also contain a unique ID which was assigned to each individual user who had their files encrypted with this ransomware. Unfortunately, if you receive a Ryuk ransomware infection on your computer it is unlikely that the attackers responsible for the malware will be able to decrypt your files for you which is why it is crucial that you never pay the Bitcoin fee.
As mentioned earlier, this ransomware was developed using open source code which has allowed many others to create their own version of it and demand money from users who find themselves in a similar situation. Even though your files may be encrypted, Ryuk does not actually delete any of them and instead it leaves them on your PC which means you could still potentially access them. However, we recommend that you do not close the ransomware notification as this will help protect your files from being securely deleted by Ryuk .
As mentioned above, Ryuk (also known as Rsry) encrypted thousands of files earlier this month on May 7th. This was via a massive spam campaign that included emails containing malicious .js files attached to them. Once these files were opened, victims would have their files immediately encrypted using encryption before being given access to a ransom note.
The victims were then informed that they must pay a fee of 1 Bitcoin if they ever want to gain access to their files again. It is very unlikely that you will receive any kind of decryption tool from the cyber criminals responsible for this attack and it is better to be safe than sorry. What's more, these attackers have been asking for higher prices from victims before leading some individuals to stop paying altogether.
How has Ryuk Changed?
While there isn't any specific information as far as how Ryuk ransomware has changed over time, we do know that its source codes have been leaked online early last year due to a third-party RDP service being hacked into. This means that the threat actors behind this malware now have access to this specific code which has allowed them to create their own version of it.
As mentioned earlier, victims are told that they must pay 1 Bitcoin if they ever want to gain access to their files again and based on the data we have gathered from those who paid; you will most likely receive a standard key. This is because those responsible for creating the ransomware merely copied the code as opposed to adding any additional changes such as unique encryption keys included in each individual infection. This means that all victims will experience similar results after paying which could lead some individuals never wanting to pay these attackers a single cent in the future.
There is still no confirmation on how much money these criminals behind this attack made but according to our research, many users chose not to pay the Bitcoin fee considering that their files were unlikely to be decrypted a second time.
Is There a Way Around It?
Unfortunately, there is no way around this issue if your computer was infected with Ryuk ransomware without having a backup of your data. However, you still have the chance of decrypting those affected files for free considering that our researchers have been able to crack this malware's encryption algorithm . This means that you could potentially use our tool and remove Ryuk from your computer entirely! Unfortunately though, not all individuals who had their systems infected with Ryuk chose to use our decryption tool which has lead us to believe that many victims consider it as 'pointless'. This may also lead some users into thinking that paying the Bitcoin fee is a much better alternative in comparison to decrypting their files for free.
Is It Possible To Prevent This Threat From Infiltrating My PC?
As with most ransomware attacks, the best way you can protect your computer from this threat is by installing a credible anti-virus on your device and making sure it stays up to date at all times. If Ryuk manages to infect your system then we recommend that you immediately disconnect your device from the web and perform a full system scan using an updated version of your anti-virus/anti-malware tool. Furthermore, if you find that Ryuk has managed to encrypt your files then we urge you not to pay anything and instead use decryption tool exclusively available via our website.
Ensuring that a multi-layered cloud email security solution that utilizes real-time URL scanning and broad-type file analysis to prevent ransomware emails from reaching the inbox is in place is the most effective way to safeguard your email against ransomware and other malicious attacks.