Ryuk ransomware explained: A targeted, devastatingly effective attack

Ryuk ransomware attacks are targeted to the most vulnerable, most likely to pay companies and are often paired with other malware such as TrickBot.

ransomware attack
Andrey Popov / Getty Images

What is Ryuk ransomware?

Ryuk is a sophisticated ransomware threat that has been targeting businesses, hospitals, government institutions and other organizations since 2018. The group behind the malware is known for using manual hacking techniques and open-source tools to move laterally through private networks and gain administrative access to as many systems as possible before initiating the file encryption.

Ryuk's history and success

Ryuk first appeared in August 2018 but is based on an older ransomware program called Hermes that was sold on underground cybercrime forums in 2017. Hermes was used by the North Korean state-sponsored Lazarus Group in an attack against the Taiwanese Far Eastern International Bank (FEIB) in October 2017, which led to reports that Hermes, and later Ryuk, were created by North Korean hackers.

Several security companies later disproved those claims and Ryuk is now generally believed to be the creation of a Russian-speaking cybercriminal group that obtained access to Hermes, just like Lazarus likely did. The Ryuk gang is tracked by some security companies as Wizard Spider or Grim Spider and is the same group that operates TrickBot, a much older and active credential theft Trojan program that has a relationship with Ryuk. Other researchers believe that Ryuk could be the creation of the original Hermes author or authors operating under the handle CryptoTech, who simply stopped selling their ransomware publicly after developing an improved version.

To continue reading this article register now

The 10 most powerful cybersecurity companies