In 2019, ransomware was one of the key players of cybercrime. Companies and official organizations all around the world were hit by cyberattacks that used this kind of malware to encrypt their files and demand a ransom. These waves of ransomware used a range of variants to carry out the attacks. However, there is one variant that was used then, and that is still seen today, that made a name for itself because of how often it was used: Ryuk.

Ryuk is one of the most notorious ransomware variants of the last few years. Since it first appeared in summer 2018, it has garnered an impressive list of victims, especially in business environments, which are the primary focus of its attacks.

In mid-2019, a large number of important Spanish companies suffered serious attacks that made use of Ryuk to encrypt their systems. The companies affected were in a range of sectors and varied in size. They included Everis and several municipal governments.

Spain is not the only country to have suffered at the hands of this ransomware; the countries that have been worst hit by Ryuk are Germany, China, Algeria, and India. Over the last three years, Ryuk has affected millions of users, compromising vast amounts of data and causing significant economic losses.

How Ryuk works

Like other pieces of ransomware, once Ryuk has finished encrypting its victims’ files, it leaves a ransom note stating that, in order to recover their files, they need to make a payment in bitcoins to the address indicated in the note.

In the sample analyzed by Panda Security, Ryuk made its way on the system via a remote connection made in an RDP attack. The bad actor managed to log in remotely. Once logged in, he created an executable with the sample.

Ryuk, like other pieces of malware, tries to stay on the system for as long as possible. One of the ways that it tries to do so is by creating executables and launching them in secret. To be able to encrypt its victim’s files, it also needs to have privileges. Generally speaking, Ryuk starts with a lateral movement or is launched by another piece of malware, such as Emotet or Trickbot. These are responsible for escalating privileges before granting them to the ransomware.

How to protect yourself against Ryuk

Ryuk has a litany of tricks to gain entry, gain persistence, and encrypt the its victims’ files. As is the case with all ransomware, if you don’t have the proper protection and if you don’t follow the appropriate guidelines, this threat can be hard to contain.

Panda Security deals with this problem with a combination of advanced endpoint protection in its solution Panda Adaptive Defense, with its EDR capabilities, its monitoring of all endpoints on the system, and its 100% classification service. It is based on a zero-trust approach: any unknown process or application is blocked until it can be analyzed. This way, it is able to stop any threat before it can run, even the most advanced attacks, like Ryuk.

Find out more technical details about Ryuk in our report on this ransomware, written by PandaLabs:

Download the report