Ryuk Ransomware: Breakdown and Prevention Tips

Ryuk ransomware targets large organizations and spreads with deadly speed. Learn about the strain and how to prevent your company from becoming a victim.
David Harrington
6 min read
Last updated June 12, 2023

Although Ryuk ransomware is named after a famous Japanese anime villain, the threat it presents to businesses and organizations is far from fiction. First appearing in 2018, Ryuk ransomware has been targeting any number of both public and private sector entities, most notably hospitals and healthcare facilities in recent years.

The origins of Ryuk ransomware are debatable, but we do know that it uses open-source malware to help hackers move laterally through systems to conduct ransomware attacks. Here we’ll discuss the history of Ryuk ransomware, how it works, and ways to tell if you’ve been compromised by Ryuk.

We’ll also give you some key tips on preventing Ryuk ransomware attacks, how to mitigate the damage if one does take place, and key technologies you should consider implementing in your anti-ransomware efforts.

Get a Free Data Risk Assessment

What is Ryuk ransomware?

Ryuk ransomware is derived primarily from the popular Hermes commodity ransomware that has been widely available on the dark web and hacker forums prior to 2018. But unlike Hermes, the Ryuk code has been modified and upgraded to specifically target enterprise environments. The ransomware is almost exclusively disseminated via a malware program called TrickBot, entering the system as a Trojan horse.

As opposed to other more highly automated forms of ransomware, once inside hackers manually navigate Ryuk to conduct reconnaissance and select the most high-value targets. Once the data is stolen or systems rendered inoperable, Ryuk attackers typically demand payment in Bitcoin or other cryptocurrencies as ransom payments. One of the biggest recent Ryuk attacks — conducted by hacker group Wizard Spider — disabled the computer systems of United Health Care, one of the largest healthcare providers in the world.

History of Ryuk ransomware 

The name Ryuk likely originates from a character in the popular anime and manga series called “Death Note,” with Ryuk being a form of “death god” who could enable targeted killings. Ryuk was first noticed around August of 2018 when large organizations began noticing that they were being targeted specifically by Wizard Spider and other hacker organizations.

Some of the most high-profile Ryuk hacks in 2018 included the Onslow Water and Sewer Authority (OWASA) in Florida and the Tribune Publishing Company, with notable newspapers like the Los Angeles Times being affected. And now in 2021, a new variant of Ryuk has emerged, which autonomously moves laterally within networks and systems without human control.

Ryuk ransomware was a game-changer because it possessed greater capabilities to target large enterprises and organizations. And with new variants, innovations, and hacker groups emerging, Ryuk continues to be an extremely dangerous ransomware tool.

Who is responsible for Ryuk?

While the most notable iteration of Ryuk ransomware first appeared in late 2018, the malware’s origins stretch back a bit further. Ryuk’s original inspiration is a slightly older malware called Hermes. It’s believed that cybercriminal group Lazarus first popularized Hermes, but that Ryuk was ultimately created by another hacker organization called CryptoTech.

How does Ryuk ransomware work?

Attack diagram of a ryuk attack: Phishing > Activating TrickBot script > Negotiating ransom

A Ryuk ransomware attack typically occurs in the following sequence of events:

  • Phishing: The ransomware is usually delivered to an unsuspecting user or users via a phishing attack. Ryuk is embedded in a legitimate-looking document or attachment, executing once the user opens it.
  • TrickBot: Once Ryuk is unleashed, the TrickBot script is activated, which is purpose-built to collect passwords and gain privileged access to higher levels of the system and network.
  • Ransom: The attackers then use TrickBot to navigate laterally through the system and either shut it down completely or gain access to sensitive data. Ryuk will then deliver a message explaining that an attack is underway along with payment instructions.

With malicious emails up over 600% since the beginning of COVID-19, it’s imperative that organizations have the right tools and cybersecurity posture to detect and mitigate Ryuk attacks at all three stages.

Indicators of compromise: How to detect a Ryuk attack

Discerning that a Ryuk attack is underway can be tricky, especially since the malware tends to be cleverly hidden in phishing or spam emails. Here are a few indicators of Ryuk compromise and tools that you can use to detect them.

  • YARA rule retection: YARA rules classify and identify malware using textual or binary patterns in families of malware. If your organization has YARA rules implemented that are specific to the Ryuk code, you may get alerted to a compromise as soon as it happens.
  • Autoruns virus total: Using the Microsoft Autoruns tool will alert users to Ryuk and other forms of potential malware upon system boot or logging into their account. Autoruns will display a “Virus Total” number indicating the likelihood that a specific program or code is a virus. 
  • Anti-ransomware alerts: Varonis can build out rings of detective controls from data to Active Directory and DNS, and through to VPNs and proxies. Ransomware protection software like DatAlert, that’s comprehensive in nature, can detect any suspicious data access patterns and alert you to potential Ryuk attacks as they’re taking place. It can also trigger an automatic response to mitigate damage and the complete audit trail of file system access helps perform targeted restores.

Employing the right technology stack can help pinpoint compromise indicators before Ryuk can do too much damage. But you’ll also need to take proper prevention measures that work in tandem with your detection efforts.

Ryuk attack prevention tips

There are several key measures you can take that can help prevent your organization from falling victim to a Ryuk ransomware attack. These involve technology, strategy, and internal measures that will combine to provide a robust defense.

  • Install anti-malware software: The first step is to invest in anti-malware and virus protection technology. Strongly consider systems that offer real-time detection, alert, and response capabilities. Also, look for features that shield your most vulnerable programs from threats or block malware from holding files hostage. Some anti-malware solutions even use what’s called “rollback technology,” specifically designed to counter ransomware.
  • Watch your data: When you monitor data access behavior, attackers and insiders can't hide. Traditional ransomware detection monitors everything but the data. Security teams need to be able to detect early warning signs of ransomware in order to prevent damage. The best way to detect ransomware (without a ton of noise) is with behavioral-based alerting that can flag abnormal activity before it does damage.
  • Reduce your blast radius:  As the ultimate goal of ransomware like Ryuk is to steal sensitive data and hold it for ransom, it is critical to reduce their ability to easily gain access to said data. To achieve this, you can utilize a solution like Varonis to identify who has access to data and remove excessive access, ensuring only those that require permissions have them - reducing your blast radius. Now, if an attacker manages to compromise an account, they will have minimal access to data to steal. You’ll also be able to quickly investigate which files were affected and begin recovery efforts.
  • Create secure backups: Although you might find it to be a small hassle, creating secure backups of your data on a consistent basis will reduce the amount of potential leverage that ransomware attackers have over you. Use cloud storage that uses high-level encryption and multi-factor authentication. You can also use physical devices like USB drives that are stored in a secure location as an additional prevention layer.
  • Update systems regularly: Many malware programs and viruses like Ryuk take advantage of vulnerabilities in old or outdated versions of software. If your team or company has trouble keeping abreast of updates, at the very least make sure that auto-update settings are enabled on all of your key systems and software. Hackers are constantly on the hunt for systems that haven’t been patched, making updates a critical Ryuk prevention tactic.
  • Train employees frequently: Because Ryuk often makes its way into systems via phishing and social engineering efforts, regular employee training sessions are critical. Insider threats often take the form of careless or unaware employees, so you’ll want to work with a cybersecurity partner like Varonis to develop an educational program that helps people spot and report potential Ryuk phishing efforts.

Once you’ve implemented the above measures, you’ll still want to develop a game plan for mitigating the damage of any potential Ryuk attacks.

Ryuk attack mitigation in 3 steps

Many Ryuk ransomware victims are taken by surprise, leaving them no choice but to pay a hefty ransom in Bitcoin. However, there are steps you can take in terms of Ryuk ransomware removal and damage mitigation after you’ve detected an attack.

Step 1: Malware unpacking

Once you’ve detected a Ryuk infection, you’ll want to alert your IT teams so they can unpack the malware using a tool like x64dbg. You should set up a secure, virtualized environment to analyze and unpack malware. In the case of Ryuk, you’ll want to target the TrickBot code for unpacking.

Step 2: Quarantine & patch

Unpacking the malware will then allow you to quarantine it in a secure system location. You’ll then want to immediately begin patching and cleansing the rest of your system entirely since Ryuk’s design allows it to move laterally throughout systems and may spring up elsewhere. Cleaning each computer one by one is a painstaking yet necessary step.

Step 3: Contact authorities

Law enforcement organizations like the FBI have Ryuk ransomware attacks on their radar, partly due to the threat posed to national security and infrastructures like defense and healthcare. While your team may possess solid expertise in ransomware remediation, collaborating with law enforcement should be a mandatory step in your Ryuk response plan.

Closing thoughts

Ryuk is one of the most dangerous types of malware in the wild today for large enterprises and public sector organizations. Without the proper system and data protection measures, Ryuk can spread rapidly through a system with the guidance of an expert hacker or even automatically with newer variants. You’ll need to take a variety of steps -- from anti-phishing training to advanced anti-malware tools  -- to ensure you don’t end up paying a small fortune in Bitcoin to one of the many hacker organizations now aggressively utilizing Ryuk ransomware.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

Last Week in Ransomware: Week of August 9th
This week saw the rise of a new ransomware group called BlackMatter and demonstrated even ransomware groups should worry about disgruntled employees.
Last Week in Ransomware: Week of July 19th
This past week hasn't seen quite as much activity as others, likely due to the new ransomware task force created in the US and the mysterious disappearance of REvil and other gangs.
Last Week in Ransomware: Week of June 28th
Ransomware in the News If you’re a small or medium business using locally hosted cloud storage drives by a popular brand you need to disconnect them from the internet immediately....
Is a ransomware attack a data breach?
Understanding if ransomware is a data breach is vital to determining what response your IT and Legal department needs to take.