Blue Hexagon Blog

Ransomware Families – Ryuk

Ryuk Ransomware was first discovered in August 2018, appearing to be a modified version of Hermes ransomware

Ryuk is delivered through two different malware families, Emotet and Trickbot. Emotet and Trickbot generally are delivered via Microsoft word or excel document, and then the payload is downloaded. Once the machine is infected with either Emotet or Trickbot, Ryuk ransomware may be downloaded onto the machine. 

Since August, Ryuk has been updated with Wake-on-LAN capabilities, as well as uploading specific file types, such as .doc, .docx and wallet.dat, to a malicious remote server. Startup repair and shadow copies are then deleted and the machine is encrypted using a ransom extension. 

The ransom note is written to RyukReadMe.txt, listing an email address to contact to allow the decryption of the files, and Ryuk payouts average $1.4 million each. 

If you are interested in learning about other Ransomware families that we have published research reports on you can read more here