This article posted by MiniTool official webpage reviews the targeted, devastated, and effective cyberattack performed by Ryuk ransomware. Besides the analysis on the infection and encryption of Ryuk, it also gives some tips on how to get rid of the attack and how to prevent it.
What Is Ryuk Ransomware?
Ransomware Ryuk is known for attacking large and public-entity Windows cyber-systems. Typically, like common ransomware, it encrypts files and folders of the infected computers and asks for ransom in bitcoin (BTC). Only when victims pay, will they be able to access their files again.
Ryuk is believed to be used by at least two groups of criminals, more likely to be Russian. They target companies or organizations instead of individual users to get more money quickly.
How Does Ryuk Ransomware Get into Your Computer?
According to the UK National Cyber Security Center, Ryuk takes advantage of the Trickbot malware to install itself once a network server is connected. It also uses Emotet malware to gain access to devices as the initial loader or trojan dropper.
More detailly, according to the US Cybersecurity and Infrastructure Security Agency (CISA) website, initial access of Ryuk to your computer may be gained with phishing campaigns that contain either ransomware attachments or links to unsafe websites that host the ransomware.
When victims open the attachments or click the malicious links, loaders start the infection chain by distributing the payload; that is, loaders deploy and execute the backdoor from the command or control server and install malware Ryuk on the target computer.
Ransomware is very annoying and could damage to your PC, then how to prevent ransomware? Read this post carefully to get some useful tips to prevent it.
Ryuk Ransomware Attack
Once Ryuk takes control of the system, it will encrypt most types of files except exe, dll, hrmlog, sys, and ocx on your computer. Then, you can’t access the encrypted data unless you pay for the hackers with BTC, a kind of cryptocurrency that is untraceable.
Folders that Ryuk won’t encrypt:
In most cases, it will take days or weeks before Ryuk starts to encrypt your files massively after the initial infection. During this period time, Ryuk is working on penetrating deeply into the Internet to implement maximum damage.
Ryuk is one of the most harmful ransomware for it also seeks and encrypts files stored on network drives or NAS. It is capable to defeat a lot of antivirus countermeasures and disable the network of the infected computer completely.
Below are some features of the Ryuk ransomware attack:
- Encrypt files with AES-256 and RSA-2048 technologies.
- Encrypt remote hosts and mounted devices.
- Rely on a file maker of HERMES malware to mark or check whether a file has been encrypted or not.
- Store keys in the executable using the proprietary Microsoft Simpleblob format.
Recently it was reported that Mercury ransomware attacked PCs to encrypt files, asking victims to pay a ransom for decryption.
The Note of Ransomware Ryuk
The Ryuk ransomware note is written in a text file named RyukReadMe.txt as below:
Your network has been penetrated.
All files on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted or deleted or backup disks were formatted.
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation
No decryption software is available in the public.
DO NOT RESET OR SHUTDOWN – files may be damaged.
DO NOT RENAME OR REMOVE the encrypted and readme files.
DO NOT DELETE readme files.
This may lead to the impossibility of recovery of the certain files.
To get info (decrypt your files) contact us at [email protected]
No system is safe
Ransomware protection comes with Windows Defender in Windows 10 October 2017 update. This post shows how to enable it in Windows Defender.
Ryuk Ransomware Removal
How to remove Ryuk? In September 2020, the US Cyber Command initiated a counter-attack to disconnect Trickbot from Internet servers. Shortly thereafter, Microsoft invoked trademark law to disrupt the Ryuk botnet.
How to remove ransomware Ryuk from your computer? Generally, there are two ways.
Solution 1. Pay for Decryption
The easiest and direct way is to do as the hackers required. Just pay them and you will get your files decrypted. Lose money or lose data, it’s up to you.
Solution 2. Try Luck with Anti-malware Programs
If you want to take a risk of losing data, you can try to decrypt your files with decryption software or remove Ryuk ransomware with powerful security tools.
Additional Suggestion: Protect Against Ryuk Malware via Backup
If you have not yet been infected by Ryuk or your files are accessible now, it is of great importance that you make a copy of especially crucial files and save it to an external device. When the copy is done, don’t forget to disconnect the external storage from your computer.
Here, you will need help from a reliable and powerful file backup software like MiniTool ShadowMaker. It enables you to back up files to offline storage. Also, the program allows you to encrypt your backup image; this may prevent Ryuk from access your image file and encrypt it.
On the one hand, Ryuk ransomware is similar to the other ransomware. It hijacks infected machines by encrypting data stored on them and ask for paying. On the other hand, Ryuk is special for targeting enterprise environments for quick money just like Samas and BitPaymer.
In early 2021, ANSSI discovered a Ryuk sample with worm-like capabilities, which allows Ryuk to spread automatically within networks it infects.