Ryuk Ransomware

Ryuk Ransomware Exploits Zerologon in Less Than 5 Hours

A phishing email that evolved into complete domain-wide encryption in less than five hours shows that many organizations remain vulnerable to Ryuk ransomware. While the strategy of attack was the same as those in the past, execution time was much faster, leaving security experts with no time to act. The most recent report of a Ryuk attack completed in 29 hours warned organizations that if a victim missed the first day, they would have precious little time to respond before being ransomed. The current attack makes it clear that organizations must be prepared in advance with techniques that provide an immediate response when malware is deployed.

What Is Ryuk Ransomware?

Ryuk is a sophisticated ransomware threat that targets businesses, hospitals, government institutions, and other organizations. Ryuk first appeared in August 2018, and the resulting attacks have cost victims millions of dollars since then. Instead of focusing on widespread attacks, Ryuk carefully targets and provides undivided attention to create specifically tailored infections with high ransom demands. Expected payments are typically between 15 and 50 Bitcoin which averages between $100,000 and $500,000.

Ryuk sets itself apart from many modern ransomware types with its ability to identify and attack certain data drives while leaving others untouched. Additionally, the ransomware deletes evidence of its existing path. The combination of these actions makes it impossible for the victim to use the Windows Restore option, making it impossible to recover from the attack without external backups.

While Ryuk was first used in 2018, similarities in the ransomware program suggest a relation to the earlier Hermes ransomware threat and a possible connection to Lazarus Group.

A Brief but Successful History

Until August 2018, Ryuk was mostly known as a fictional character in the manga series Death Note. The cybercriminal group of the same name began targeting victims in 2018 and managed to obtain $61 million in ransom demands by February 2020. Some of Ryuk’s most notable attacks include publishing companies, major cities, and hospitals. Prominent Ryuk activity includes:

  • Oct. 2018 attack on Onslow Water and Sewer Authority
  • Dec. 2018 attack on Tribune Publishing Group
  • March 2019 attack on Jackson County, Georgia
  • April 2019 attacks on Stuart, Florida, and Imperial County, California
  • June 2019 British GCHQ released a warning about a global Ryuk campaign
  • June 2019 attack on Georgia’s Administrative Office of the Courts
  • July 2019 attacks on La Porte County, Indiana, and New Bedford, Massachusetts
  • July 2019 attacks on Chinese company Tencent
  • July 2019 attacks on Louisiana school districts
  • August 2019 attack on Rockville Center School in Long Island, New York
  • Sept. 2019 Ryuk software observed exfiltrating military and financial files
  • Oct. 2019 attack on DHC Health Systems in Alabama
  • Nov. 2019 attack on a multinational Spanish security company
  • Nov. 2019 attack on Spain’s largest radio station, Cadena SER
  • Nov. 2019 attack on T System (IT solutions for emergency and urgent healthcare providers)
  • Dec. 2019 attack on the IT network of a federally regulated maritime facility
  • Jan. 2020 attacks on multiple oil and gas facilities
  • Ryuk grew quiet around March 2020, and it was suspected the group switched to Conti ransomware
  • Sept. 2020 attack on Universal Health Services
  • Oct. 2020 attack on French IT services company Sopra Steria

Recent attacks show that Ryuk ransomware isn’t slowing down. The varied history of Ryuk attacks makes it clear that no industry is really safe. Healthcare systems and a number of school systems have even faced attacks. With targeted emails and specific attacks tailored to the company, Ryuk ransomware is difficult to detect until the damage is done.

How It Works

You could say that Ryuk has a strategy that values quality over quantity. Instead of simultaneously attacking multiple victims, Ryuk targets organizations that are capable of paying a lot of money to quickly get back on track. While victims vary, and the timeframe of a Ryuk attack has become alarmingly streamlined, the system of attack has changed very little. Ryuk ransomware follows these three steps to efficiently carry out an attack.

  • Infection: Like the other targeted aspects of the attack, Ryuk uses carefully aimed phishing emails to remotely gain access to an organization’s system. This spearfishing email might carry Ryuk directly or include a combination of malware infections. This remote desktop access allows the attacker to gain administrative control of the system.
  • Encryption: The ransomware encrypts a file, making it impossible to access. Since ransomware can damage the stability of a system, Ryuk avoids encrypting the files most likely to destroy a computer. This means upon payment, the victim should be able to retrieve the files with the decryption provided. However, there is no guarantee that files will be retrieved after a ransom is paid.
  • Ransom: Since Ryuk victims are carefully targeted, the ransom is high and represents the size of the company it targets. Ransom notes contain an email address to allow victims to reach out for payment instructions. It’s important to note that paying a ransom provides no guarantee that you’ll receive a decryption key or that the provided software will work. Additionally, paying a ransom without reporting the incident to the proper authorities could be considered a criminal act.

The Anatomy of a Rapid Fire Attack

The idea of having a day or more to determine how to respond to a ransomware attack is no longer feasible. Unfortunately, Ryuk has set the bar, demanding that companies have the capability to prepare for and respond to attacks immediately. By exploiting the Zerologon vulnerability, attackers were quickly able to gain administrator access and deploy Bazar Loader Malware within hours. 

  • The attack began with a phishing email targeted at a lower privileged user and the deployment of Bazar Loader malware. When deployed, Bazar Loader interjects into legitimate Windows processes, creating scheduled tasks to continue spreading the malware every time a user logs into the system.
  • Working from a remote desktop, attackers used built-in Windows utilities to map the domain.
  • Within three hours, using the recently exposed Zerologon vulnerability, attackers gained elevated administrator status and reset the password of the primary domain controller.
  • Attackers used lateral movement disguised as normal network traffic to attack the secondary domain controller.
  • Within 20 minutes of exploiting Zerologon, attackers established control of the secondary domain controller and executed a Cobalt Strike beacon.
  • Using the administrator account, attackers moved back to the main controller and dropped a second Cobalt Strike beacon.
  • The final phase of the attack began when Ryuk ransomware was deployed onto backup servers. Then the malware was deployed onto other servers and workstations.
  • The completion of the attack occurred five hours from the initial email when attackers deployed the ransomware on the primary domain controller.

The speed and efficiency of the attack are credited in large part to the advantage of the Zerologon vulnerability. Since attackers were able to avoid targeting a high privilege user, fewer security protocols were in place to disturb the attack. Unfortunately, the fact that the attack was targeted at a domain user without other permissions had no effect on the attacker’s ability to successfully move forward. Although the Zerologon vulnerability provided attackers with an easy path to administrator access for this attack, it shows that hackers are evolving with technology and will likely continue to find additional system vulnerabilities to exploit in the future.

How to Maintain Protection Against Evolving Ransomware

Preparation is key when defending your system against swift-moving ransomware attacks. Attackers in the Ryuk group have the knowledge and user experience to carry out largely manual attacks and change up tools of attack as needed. Early Ryuk attacks were largely assisted by TrickBot and Emotet. The most recent attacks have relied on built-in Windows functions and tools like Cobalt Strike. Taking advantage of emerging vulnerabilities like Zerologon provides this group with an added edge to work quickly and complete an attack before it can even be acknowledged.


System users must be aware of the potential threats and how to respond to them. This means all users should receive education about current threats and signs to watch for. Phishing emails often don’t contain malicious software in them. Instead, the targeted user must click a link that deploys the first step in the attack. Some emails that include attachments require users to enable Macros to view them. Users should be aware that infected attachments will automatically drop ransomware when Macros are enabled.

In some cases, organizations have functioning security software that should address the threat. Unfortunately, some IT administrators disable safety measures in the belief it slows down the system. All system users should be educated about the organization’s security software and how it works to prevent attacks.

Patch Management

When vulnerabilities are exposed, any organization should immediately respond to the potential threat. When you are made aware of system vulnerabilities, you can count on the fact that cybercriminals are aware of those potential weaknesses as well. Systems that are not yet patched provide attackers with an easy way to get into your system and quickly complete an attack. Updated patches keep your system secured across all endpoints.

Data Backups

Maintaining data backups is the only way you can ensure you’ll retain data if your organization falls victim to an attack. Keeping a current backup copy of your data on an external cloud server is the only way to restore unencrypted data if you experience an attack. Unfortunately, the manual task of updating backups often means data backups are outdated.

Disaster Recovery as a Service (DRaaS) is a completely hassle-free method of disaster recovery customized to your unique organization. Whether you need a file restored or you must rebuild your entire data center, DRaaS can automatically recover what you need. DRaaS provides local and remote backup with advanced recovery capabilities and enhanced data protection. Instead of simply storing files, Global Data Vault documents the information necessary to bring your entire network back online. 

Advanced Cybersecurity Protection

Cybersecurity protection is designed to target current threats and the ways modern cybercriminals attack your system. Invest in a cybersecurity system that uses processes to identify and eliminate the attack style utilized by human-operated ransomware attacks. Your cybersecurity platform should provide these services to help you eliminate threats posed by Ryuk ransomware.

  • 24/7 Monitoring: Ryuk attacks frequently occur on the weekend and system users see the ransom request after the damage is already done. The right cybersecurity platform looks after your system while your IT team is sleeping, on vacation, or unavailable.
  • Reduced Response Time: An attack that is complete within five hours requires an immediate response that takes place in less than an hour. A quality cybersecurity system can begin responding to a threat within seconds.
  • Crowdsourced Immunization: A cybersecurity system that uses artificial intelligence can protect your system from threats that haven’t even reached you yet. When other systems face a threat, crowdsourced immunity puts you one step ahead of potential attackers with an automatic immunization against the new threat.
  • Data Warehousing: Ryuk ransomware (and many other types of ransomware) work through an organization’s system through lateral movement. This activity in the system leaves behind trace identifiers and clues to how Ryuk is working. When this data is collected and shared with other organizations quickly through a threat feed, it protects multiple organizations from facing the same threat.

    It’s critical to collect all evidence and traces of malware and cybercriminal behavior metadata. Assembling that data into a central threat intelligence repository that will help protect other organizations from similar threat activity. Data Warehousing can be very powerful to protect your organization.
  • Visibility into your Environment: Ryuk works successfully because it moves discreetly throughout the system before victims are aware anything is wrong. By the time the threat is visible, the attack is almost complete. A cybersecurity system that provides users visibility into the complete system environment makes threats easily recognizable.
  • Automated Updates: Manual updates require tedious tasks that are too easily put off. Automated modules mean your organization is always updated for necessary compliance and prepared for current and evolving threats. Reducing time spent on manual processes means your team can stay ahead of threats and increase responsiveness.

Applying patches to known vulnerabilities is essential to keeping your system secure. However, it’s rarely enough to protect against experienced cybercriminals running advanced ransomware like Ryuk. Organizations also need the ability to monitor and detect when these vulnerabilities are being used against them. BitLyft AIR® is an intelligent cybersecurity platform with the ability to illuminate and eliminate cybersecurity threats before they become a danger to your system. With BitLyft, you not only gain visibility into your system so you know what’s happening and when it happens, but you also get a team dedicated to providing you with the best security experience.

BitLyft AIR® Overview


Hidden Threats and Cyber Attacks: Reveal and Respond to Some of the Hardest to Detect Cyber Attacks

Jason Miller

Jason Miller, Founder and CEO of BitLyft Cybersecurity, has dedicated his 20-year IT career, including co-founding SaaS pioneer Reviora, to removing cybersecurity barriers for mid-sized enterprises. Establishing BitLyft in 2016, Jason set out to unburden security teams with innovative, approachable, and affordable solutions, a vision which has made BitLyft a respected managed detection and response provider. Outside his cybersecurity pursuits, Jason is an avid tree farmer and outdoor enthusiast, planting nearly 300 trees on his ten-acre plot and finding joy in hiking, hunting, and driving his white Tesla Model 3. His diverse passions mirror the balanced blend of expertise, dedication, and joy he brings to BitLyft.

More Reading

two people programming cybersecurity
Will AI and Machine Learning Replace Humans in Cybersecurity?
As businesses, individuals, and organizations depend more on the conveniences provided by internet capability, the cybersecurity world grows more complex. Hackers develop more complicated and...
people with computers sitting around a table
What is a Cyber Incident Response Plan?
Do you know how you would respond to a cyber security incident? If not, it may be time to consider a Cyber Incident Response Plan.
cyber code and graphics
SIEM vs MSSP: What's the Difference?
Cybersecurity incidents are a constant threat to modern organizations. Security solutions must be robustly addressed in order to prevent data breaches, hacks, and numerous other security-related...