What is Ryuk Ransomware and How Does It Spread?

Share This:

Ryuk ransomware has become one of the most persistent and destructive computer viruses of the past decade. It is a type of malicious , or malware, designed to lock files and demand ransom for their release. First discovered in 2018, Ryuk has since been used to target high-value targets like businesses, governments, and public institutions such as hospitals and schools.

What makes Ryuk ransomware so dangerous is its ability to spread quickly and widely without being detected until it's too late. The virus is typically spread via phishing emails that contain either link to malicious websites that host the malware or attachments with the malware. Once Ryuk infects a computer system, it encrypts files and demands a ransom be paid in order for them to be released.

The hacker group responsible for Ryuk ransomware is known as WIZARD SPIDER (aka UNC1878). This Russia-based criminal enterprise has been observed deploying the Conti and Ryuk ransomware families in “Big-Game Hunting” campaigns that target large organizations. They are also behind other malicious software such as Trickbot and Bazar RATs (Remote Access Trojans).

The US Cybersecurity & Infrastructure Agency (CISA) warns that “these attacks demonstrate how sophisticated cyber adversaries are becoming in their ability to target organizations of all sizes with crippling ransomware attacks”. Meanwhile, according to McAfee research, by the end of 2020, Ryuk had likely netted its developers around USD $150 million in ransom payments.

It is essential for organizations to stay vigilant against this threat by implementing preventive measures such as regular backup solutions and anti-malware software updates. Additionally, it is important that all staff are aware of potential phishing scams and have a plan in place if they receive an containing suspicious links or attachments. By doing these things, companies can protect themselves from becoming the next victim of this devastating form of cybercrime.

What is Ryuk Ransomware and How Does It Spread? 1

The Dangers of Ryuk Ransomware

Ryuk ransomware is a malicious program created by cybercriminals to extort money from victims. The malware is typically sent via email attachments or malicious URLs that, if opened, install the ransomware on the victim's computer and encrypt their data, making it inaccessible until a ransom is paid. Ryuk ransomware has targeted high-value organizations, such as governments, hospitals, and schools. It can also spread through networks to multiple computers, encrypting all of their files. To make matters worse, Ryuk ransomware does not have an effective decryption tool available yet; so once the files are encrypted they can only be unlocked with a unique key that the attackers hold. Victims of Ryuk ransomware attacks have no choice but to pay the ransom in order to regain access to their data.

Spread of Ryuk Ransomware

Ryuk ransomware spreads primarily through phishing emails. These emails typically contain either malicious links to websites that host the malware, or attachments with the malware already embedded. When a user clicks on the link or opens the attachment, the malicious code is downloaded and installed on their computer. Once installed, Ryuk ransomware will encrypt files and delete shadow copies, making it difficult for users to recover data without paying a ransom. To protect against Ryuk ransomware attacks, users should be wary of suspicious emails and be sure to update their systems regularly with the latest security patches.

Can Wizard Spider Deploy Ryuk Ransomware?

Yes, WIZARD SPIDER was able to deploy Ryuk ransomware. The criminal enterprise has been observed deploying the Conti and Ryuk ransomware families in “Big-Game Hunting” campaigns that target large enterprises. In addition to the Trickbot, Bazar, and Anchor families of malicious Remote Access Trojans (RATs), WIZARD SPIDER has been seen using Ryuk to gain access to sensitive data or systems within corporate networks. Once inside, the ransomware is used to encrypt files and demand a ransom payment in exchange for access to them again.

Removing Ransomware

Yes, ransomware can be removed from your computer. However, depending on the type of ransomware you have been infected with, manual removal may not be possible. Some ransomware variants are designed to encrypt files on the system and make them inaccessible unless a specific decryption tool is used. In this case, the only way to remove the ransomware and regain access to your data is by using a decryption tool that is specifically designed for the type of ransomware you have been infected with.
In addition, it is important to ensure that your system remains secure after the infection has been removed by performing regular scans with updated software. This will help identify any further malicious activities and allow you to take appropriate steps to protect your data.

What Causes Ransomware?

Ransomware is triggered when a user unknowingly downloads malicious software, often through an infected email attachment or link. This malicious software can either be opened directly or it may be hidden in a file that the user is tricked into opening. Once the user opens the malware, it encrypts their data and files, making them inaccessible unless the user pays a ransom to regain access to their data. Ransomware can also be spread through drive-by downloading, which occurs when a user visits an infected website and then malware is downloaded and installed without the user's knowledge.

Characteristics of Ryuk Ransomware

Ryuk ransomware is a sophisticated and dangerous form of malware designed to encrypt a victim's data and demand a ransom payment in exchange for the decryption keys. It is usually spread through malicious email attachments or compromised websites, with the goal of extorting money from its victims.

Ryuk utilizes AES-256 encryption, as well as RSA-4096 asymmetric cryptography, to secure the data that it encrypts. This ensures that all files held hostage are completely inaccessible until the ransom is paid and the decryption keys are released. Additionally, Ryuk can access remote administrative shares, making it difficult to detect before it has had time to spread throughout an organization's network.

Once Ryuk has infected a system, it will typically display a message demanding payment in order for the victim's files to be decrypted. The amount demanded depends on the type of system that was infected and the data that was encrypted by Ryuk. Payment is usually requested via cryptocurrencies such as Bitcoin or Ethereum, making it difficult to trace the transaction back to its source.

It is important to note that paying Ryuk's ransom does not guarantee that your data will be recovered — there have been many cases of victims paying the ransom but not receiving any decryption keys in return. Therefore, if you suspect you have been infected with Ryuk ransomware, it is important to contact cybersecurity experts right away so they can help you assess your situation and determine your best course of action.


In conclusion, Ryuk ransomware is a malicious form of malware developed by the Russia-based WIZARD SPIDER hacker group. It is primarily delivered via phishing emails and has been used to target high-value targets such as businesses, governments, and public institutions. Ryuk ransomware attacks have the potential to cause significant disruption to networks and data and can result in the loss of sensitive information or financial losses if a ransom is not paid. Despite security measures such as email scanning, patching applications, and updating systems, organizations must remain vigilant against these kinds of cyber threats. Taking proactive steps such as educating staff on detecting phishing attempts and implementing backup strategies are key to preventing a successful attack.

Share This:
Photo of author

James Walker

James Walker has a deep passion for technology and is our in-house enthusiastic editor. He graduated from the School of Journalism and Mass Communication, and loves to test the latest gadgets and play with older software (something we’re still trying to figure out about himself). Hailing from Iowa, United States, James loves cats and is an avid hiker in his free time.