Did you know that in 2020 Ryuk ransomware targeted 67.3 million targets?

What is Ryuk?

Ryuk is a crypto-ransomware strain that encrypts access to a system, device or a file and demands ransom to release it. Ryuk is unleashed on target assets through malware, notably TrickBot and is used to gain access to a system through remote desktop services.

Ryuk typically targets vulnerable organizations or critical entities like hospitals where the probability of ransom payout is high. And since the ransom is their primary motive they demand more than any other ransomware threat group. The ransom amount oscillates between $100,00 to $500,00 in bitcoins and they are very successful in their campaigns because they select high-profile targets for whom data and information is sacrosanct and hence the chance of the payout is high.

Ryuk debuted in mid-August 2018 and was being operated by Wizard Spider, a sophisticated group that targeted large organizations with critical and sensitive data for high ransom payouts.

The creation of Ryuk is generally attributed to a cybercriminal group known as CryptoTech who were selling Hermes 2.1 in underground forums but there are researchers who believe that it was created by the Russian cyber criminal cartel.

New Variant

Researchers noted that since July 2020, a new variant called Conti has been making the rounds. The consensus among security experts is that Ryuk threat actors have rebranded themselves as Conti ransomware.

Conti is a private Ransomware as a Service (RaaS) that encrypts files and delivers the ransom note.

The converging similarities in Ryuk and Conti can be seen through features –

  • Encrypts files stored on network

  • Disables backup and OS services

  • Can be manually deployed

  • Infects local disks

  • Linked to same developer group based on the malware code

  • AES-256 encryption key being used

  • Same ransom text template is observed

  • Both use TrickBot framework

How does Ryuk attack?

Ryuk is primarily spread through malware that drops the ransomware on the existing infected system. Here is how it attacks –

Once the files in the system are encrypted it will create the ransom note, “RyukReadMe.txt” and place it in every folder.

Ryuk MITRE ATT&CK Mapping

ATT&CK Tactic Category Techniques

Privilege Escalation

T1134 – Access Token Manipulation


T1547 – Boot or Logon Autostart   

             Execution: Registry Run Keys

             /Startup Folder

T1059 – Command and Scripting 

             Interpreter: Windows Command 



T1486 – Data Encrypted for Impact

T1490 – Inhibit System Recovery

T1489 – Service Stop


T1083 – File and Directory Discovery

T1057 – Process Discovery

T1016 – System Network Configuration Discovery

Defense Evasion

T1562 – Impair Defenses: Disable or 

             Modify Tools

T1036 – Masquerading: Match 

              Legitimate Name or Location

T1055 – Process Injection


T1106 – Native API

Ryuk – A Cheat Sheet

  1. Ryuk has within its arsenal 17 CVEs that it exploits to mount attacks on its victims.

  2. The year of discovery of these CVEs range from 2013 to 2020.

  3. Six CVEs are Remote Code Execution Exploits (RCE) and one CVE is a Privilege Execution.

  4. 57% of CVEs that are in Ryuk’s arsenal are rated critical, 5 are medium and 1 of low severity.

  5. Five CVEs in numerical order (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147) are tied to five APT groups.

  6. Seven CVEs exist in Microsoft products such as Windows Vista, Windows Server (2007, 2008, 20012, 2010, 2016, 2019 ) Internet explorer, Microsoft Edge etc.

  7. Five CVEs are weaknesses that exist in multiple products such as Novell, Fedoraproject, Debian, Canonical, Huawei, Gentoo, Oracle, Amazon, IBM, Openbsd, Winscp, Netapp, redhat, VMware, synology, samba etc.

  8. External Blue kit is used to exploit vulnerabilities – CVE-2017-0143 and CVE-2017-0144.

  9. All 17 CVEs have patches and it is recommended that they be prioritized for remediation immediately.

  10. CWE – 20 is the most exploited weakness among the Ryuk associated CVEs which topped third in the Top 25 Common Weakness Enumeration.

  11. CVE-2020-1472 is a recent CVE added in Ryuk’s arsenal while the rest are old. This brings the focus back to cyber hygiene that needs to be practiced diligently.

  12.  CVE-2018-1156 and CVE-2018-14847 are RCE bugs where Ryuk comprises an unpatched Mikrotik router and turns it into a command and control server that infects with rootkits.

Check out our Spotlight Ransomware report for more!

Threat Groups & APT Groups

Ryuk is associated with the following threat and APT groups, which use Ryuk to launch complex cybersecurity attacks on vulnerable organizations with critical information and data.

Threat Groups APT Groups
  1. Gothic Panda

  2. Pirpi

  3. UPS Team

  4. Buckeye

  5. Threat Group-0110

  1. TG-0110


  3. Guardians of Peace

  4. ZINC


  1. APT3 

  2. APT10

  3. Stone Panda 

  4. Shadow Brokers

  5. Lazarus Group (APT37 & APT38)

How to detect Ryuk in your environment

Here are some types of IoCs that will alert you about malicious objects on endpoints:

Ryuk payload

SHA256: BDDAF6020F8DF169E1901C709701240F1A810D0E0FCEC7D4479D5354360E1795

Registry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

















Ryuk-related IPs

















Ryuk-related file paths    

c:\Windows\System32\setup.exe c:\Users\Default\AppData\Roaming\msnet\uetur.exe c:\Users\*\AppData\Roaming\msnet\uetur.exe c:\Users\*\AppData\Roaming\msnet c:\Windows\System32\config\systemprofile\AppData\Roaming\msnet\uetut.exe c:\Windows\System32\config\systemprofile\AppData\Roaming\msnet c:\Windows\System32\Tasks\Ms net

Ryuk-related web files




Today, Ryuk is being sold on the dark web in a ransomware as a service affiliate model business and it is empowering threat actors to go after vulnerable and critical entities like hospitals. Organizations need to recognize the threat, understand the risks, and prioritize preventions and measures that will protect them against Ryuk. Our researchers have spotlighted the threats that are influencing the growth of ransomware.

Check out our path-breaking Ransomware Spotlight report.

Are you susceptible to Ryuk? Find out now!

Share This Post On