Ryuk ransomware made its first appearance in 2018 as it was being distributed by spam emails that had the Ryuk dropper attached. Then the dropper would download Trickbot or Emotet as well as downloading the ransomware.
Attacks involving the Ryuk ransomware have been frequent and have been recorded to target organisation of medium to large size from many countries.
There is no decryptor for any of the active variants of the Ryuk ransomware and the average ransom required is $100k in Bitcoin which can be paid via provided email addresses in the ransomware note.

Modus Operandi

Initial access

The threat actor would send a phishing email with a Microsoft Office word document file which contain a malicious macro script. As soon as the attachment is opened, the macro attemepts to run a PowerShell code which attempts to download Emotet. Emotet then attempts to download Trickbot which allows for the threat actor to install other tools like Mimikatz and Cobalt Strike that will used to collect credentials, disable security measures, and harvest information, for the purpose of lateral movement and privilege escalation.


Eventually, the threat actors will establish a connection with the target’s servers like the domain controllers and active directories via a remote desktop protocol and then they download Ryuk onto the servers. Upon execution, Ryuk will attempt to kill processes and stop services related to antivirus, database, backup, and document editing software from a list of predefined service and process names by executing “taskkill” and “net stop”.
Then Ryuk make sure it can be executed after reboot of any infected machines by writing itself to the Run registry key where it will then attempt to escalate its privileges to be able to infect itself into processes using OpenProcess and VirtualAllocEx function. Then it will attempt to write three dummy files: a test file, “PUBLIC” which contains the RSA Public key, and “UNIQUE_ID_DO_NOT_REMOVE” which contains a unique hardcoded key.


Ryuk uses a three-tier trust model where three kinds of keys are used in the encryption: global RSA key pair, per-victim RSA keypair, AES symmetric encryption key generated per victim file. So, after a file is encrypted using the CryptGenKey function, the AES symmetric encryption key is encrypted using the unique RSA keypair of the victim before the encrypted key appended to the encrypted file. After the encryption is done, Ryuk deletes the keys used in the encryption and attempts to delete any shadow copies by executing a .BAT file.

Command and Control

The information that Emotet and Trickbot collects from the compromised machines like emails and credentials, are sent to a C&C server during the attack.