Ryuk Ransomware Recovery, Payment & Decryption Statistics

Ryuk ransomware payments are typically much higher than the ransomware marketplace average. This is due to highly targeted nature of the attacks. Ryuk affects mid-large sized organizations that have higher ability to pay relative to small businesses and individuals.

Ryuk incidents take less time to recover than other types of ransomware. However, the decryption tool can be burdensome on large networks, which may lead to a longer recovery time.

The majority of Ryuk Ransomware attacks can be traced back to either Remote Desktop Protocol access or email Phishing as the attack vector. This is due to the prevalence of poorly secured RDP ports, and the ease with which Ransomware distributors are able to either brute force themselves, or purchase credentials on dark market sites. Companies that allow employees or contractors to access their networks through remote access without taking the proper protections are at a grave risk of being attacked by Ryuk Ransomware.  Email phishing is also increasingly prevalent in Ryuk attacks. Exploit kits such as Trickbot and Emotet are increasingly used to gain elevated credentials so that the entire network of a targeted organization may be encrypted by the attackers.

Immediate RYUK Ransomware Help

For immediate assistance contact us

How to Identify RYUK Ransomware

The Ryuk ransom note has recently changed. It is now very simple and commonly looks like the image below.

What else do I need to know?

Ryuk Ransomware typically appends a standard ‘.ryk’ to to encrypted files. There is known to be one variant which does not append any special extension to the files, but uses the same encryption as the Ryuk that does append .ryk to the files.

An encrypted file would follow the below pattern (example of a word document):

filename.doc.ryk

Ransomware distributors often change their email accounts for every attack, though some groups keep them consistent. The groups tend to have preferences for the email and VPN service they use. Some use common services like Gmail or AOL, while others use encrypted email services such as ProtonMail or Tutanota. The vast majority of Ryuk groups use encrypted email services and change their email for every attack.

The nature of Ryuk deployment and execution tactics, techniques, and procedures can vary across incidents. Recently, Ryuk has been distributed specifically through Emotet and/or TrickBot malware. The premeditated attack is tailored from target to target and only the essential files are encrypted, which differs from other forms of ransomware that attempt to strike numerous networks in entirety, simultaneously.

Ryuk is commonly installed and executed following the infection of a target machine with a banking trojan. Once the banking trojan has collected admin credentials and moved laterally through a target network, the Ryuk payload is downloaded and executed. The banking trojan is typically the result of a spear phishing campaign, or some other subtle vulnerability that is difficult to detect.

Ryuk ransomware primarily infects mid to large organizations that are financially stable and rely on their networks for day to day operations. Attackers target these organizations directly through phishing attempts as large employee counts make these companies more susceptible to email related threats.

Ryuk uses a three-tier trust encryption model. The first tier / foundation is the global RSA key pair held by the attackers. The private key from this key pair is not available to the victim until a decryptor is purchased. The second tier is a per-victim RSA keypair. Most types of ransomware would generate this keypair during the encryption process, and encrypt the resulting private key using the higher-tier global key. With Ryuk, the ransomware arrives with the keypair pre-installed and the private key pre-encrypted. The third tier is a standard AES symmetric encryption key generated for each victim file using the Win32API function CryptGenKey. This key is then exported using CryptExportKey, encrypted using the second-tier key, and the encrypted result appended to the encrypted file.

It is strongly recommended that any machine that becomes encrypted be completely reformatted to ensure that both the ransomware executable and, more importantly, any other malware is removed in the process. The ransomware executable is typically easy for anti-virus to find and remove. Malware that assisted in the ransomware arriving on the machine and which can do longer term damage is often harder to detect. Accordingly, a full wipe and replace process should be run on any machine that becomes encrypted with Ryuk Ransomware.

(Please note that the below is just an example and not a guide or guarantee that should be relied on in any way. Ransomware variants and their decryptors evolve weekly and this example may be obsolete or conflict with instructions a hacker provides. Please, see our Terms of Service for further disclaimer).

The Ryuk decryptor is unreliable and riddled with errors that reside within the code. These issues make the victims’ user experience running decryption very challenging and time consuming. Some of the most prominent issues are:

• Windows file path spaces: If there is a space in the Windows file path, the decryptor will fail the decryption process.

• Quotation “ marks in file path: If there is a quotation mark (“) in the file path the decryptor will report an error that it cannot find the specific file.

• Windows Version function: The decryptor uses the “GetVersionExW” function to determine the Windows version, for Windows 8.1. The value returned by this API has changed and the decryptor isn’t designed to handle this value.

• .Ryk extension removal: The decryptor doesn’t remove the .ryk extension and replace it with the original extension. Since there is no way to determine the original file type based just on the file name, it can be extremely labor intensive for enterprise victims to fully rename and restore their files.

Infinite loop in manual mode: When choosing the manual option in the decryptor, the user has to supply a path of the specific file or choose “0” to finish. However, choosing a “0” will put the decryptor into an infinite loop.

For a complete guide on the Ryuk Decryptor tool, please see our Ryuk Decryption Guide.

RYUK RANSOMWARE FREQUENTLY ASKED QUESTIONS

The majority of active Ryuk ransomware variants can not be decrypted by any free tool or software. If you submit a file example to us, we will have a look for free and let you know. There are also good free websites that you can upload a sample file to and independently check. You should NOT pay a data recovery firm or any other service provider to research your file encryption. They will use the same free resources noted above… so don’t waste your money or time!

Most Ryuk ransomware is laid directly by a hacker that has accessed an unprotected RDP port, utilized email phishing to remote into a network via an employee’s computer, or utilized malicious attachments, downloads, application patch exploits or vulnerabilities to gain access to a network.

.rcrypted, .ryk

Ryuk ransomware hackers will leave a readme file notice behind that will be prominent and easy to find. It commonly looks like the image below.

Note: We do not advise that any person or company contact a hacker and negotiate directly. Cyber criminals can be difficult to communicate with. Let a professional assist you.

RANSOMWARE FREQUENTLY ASKED QUESTIONS

You will need to provide information from both the ransom notice and a sample encrypted file. We will schedule a call to discuss the severity of the attack, the operability of your company and the likely timeline / cost of recovering from the attack. You will also need to provide identifying information on your company, and an authorized representative of your company.

You are already being extorted; we don’t think you deserve to pay another large fee. Coveware charges flat per incident fees. Whether the case lasts one week or three weeks, our fees are flat. We do not charge spreads of fees tied to the size of the ransom amount. Our fees will never be even close to the amount of the ransom demanded by the cyber criminal, and you should be skeptical of why any other service provider would charge a fee that high.

You should be extremely skeptical of any data recovery firm that claims they can decrypt ransomware. Typically they are just paying the cyber criminal without your knowledge and pocketing the difference between the ransom amount and what they will charge you. Know the facts before you engage. If the ransomware IS decryptable, the tool can be found for free. If not, purchasing a key from the cyber criminal is the only way to unlock your files. While Coveware does not condone paying cyber criminals, we recognize it is often the only choice if backups are not available or have become compromised as well. If that is the case, you deserve an honest, transparent experience.

There is no guarantee that paying the ransom will result in a working decryption tool being delivered. However, Coveware believes that data aggregation can help customers make the most informed data-driven decisions. Since we handle lots of cases of the same ransomware types, we are able to share our experiences and help customers decide how to proceed.

If the ransomware payment is successful, a decryption tool & key is provided by the hacker that can be used to manually decrypt your files.

There are some common security mis-configurations that lead to a ransomware attack. We can share some tips and resources for preventing future attacks, but encourage companies to perform a full forensic review or security assessment as soon as possible. Consistent investment in security IT is the best antidote to preventing future attacks.

WHY CHOOSE COVEWARE RANSOMWARE RECOVERY SERVICES?

FREE
RANSOMWARE ASSESSMENT

Provide a few details from the ransom notice, an example encrypted file and details of the operability of your company and budget/time. We will provide context into the severity of the attack and your options for decryption and recovery using our database of similar cases.

• Identify ransomware type

• Find free decryptor tools

• Identify threat actor group
  

24x7 SUPPORT
- RANSOMWARE INCIDENT RESPONSE

We have deep experience communicating and negotiating with hackers. It’s what we do all day long! Take advantage of our experience and allow us to shoulder this burden.

• Secure & safe negotiations

• Proactive service

• Transparent communications

• Determine risks & outcomes
  

FILE DECRYPTION
& RECOVERY SUPPORT

Coveware has access to a ready supply of any crypto currency, and offers a 15 minute disbursement service level agreement. We also support the decryption/data recovery process.

• Professional IT support

• Insurance documentation

• Post-incident follow up

• Post-incident support