Ryuk Ransomware Payment & Decryption Statistics

Ryuk Ransomware Payment Costs

Ryuk Ransomware Average Ransom vs Ransomware Marketplace

How much are Ryuk Ransomware ransom demands?

Ryuk ransomware payments are typically much higher than the ransomware marketplace average. This is due to highly targeted nature of the attacks. Ryuk affects mid-large sized organizations that have higher ability to pay relative to small businesses and individuals.

How long does it take to recover from a Ryuk Ransomware attack?

Ryuk incidents are much longer than other types of ransomware due to high ransom amounts demanded and the labor intensive nature of the decryption tool.

Average Length of a Ryuk Ransomware Incident

The amount of time from reporting to full data recovery of a Ryuk Ransomware incident

Ryuk Ransomware Case Outcomes

The outcome of Ryuk Ransomware Incidents

What is the expected data recovery rate when paying for a Ryuk Ransomware Decryptor?

Ryuk Ransomware has a low data recovery-success rate after a ransom payment is made. Relative to other types of ransomware, the decryptor tool is very labor intensive and prone to failure.

How does Ryuk Ransomware attack a victim?

The majority of Ryuk Ransomware attacks can be traced back to either Remote Desktop Protocol access or email Phishing as the attack vector. This is due to the prevalence of poorly secured RDP ports, and the ease with which Ransomware distributors are able to either brute force themselves, or purchase credentials on dark market sites. Companies that allow employees or contractors to access their networks through remote access without taking the proper protections are at a grave risk of being attacked by Ryuk Ransomware.  Email phishing is also increasingly prevalent in Ryuk attacks. Exploit kits such as Trickbot and Emotet are increasingly used to gain elevated credentials so that the entire network of a targeted organization may be encrypted by the attackers.

Top Attack Vectors for Ryuk Ransomware

Immediate Ryuk Recovery Help

For immediate assistance contact us or call 24/7 Support: (203) 442-4050


How to Identify Ryuk Ransomware

Ryuk Ransomware Note

Ryuk Ransomware typically leaves behind an elongated ransom note that explains what has happened and identifies itself at the end of the note.

Calling out the IT team:

At the top of the ransom note, the attackers are specifically calling out the IT team in an effort to intimidate them. They warn that there is no method of decryption (this is true at the time of writing this), and not to try any of the standard ways to recover the data.  

Decryption - Free Proof:

In the next section, the note calls out the ease of decryption should the victim opt to pay.  The time frame given is not exactly accurate given how difficult the Ryuk decryptor is to operate, and the length of time Ryuk cases typically take to recover. The attacker offer a proof of decryption for a small file, which is pretty much standard.

How to Obtain Bitcoins:

Ryuk ransomware notes do not provide guidance on how to obtain bitcoin, unlike other types of ransomware. The attacker first response to a victim over email typically has more information on how to obtain bitcoins.   

Contacting the Attacker

At the conclusion of the note, contact information for the attacker is provided. Most of the time there are two email addresses given.  The majority of Ryuk distributors change their email addresses for every attack, so there is rarely a repeat.

Ryuk Ransomware Encrypted File Extensions

Ryuk Ransomware typically appends a standard ‘.ryk’ to to encrypted files. There is known to be one variant which does not append any special extension to the files, but uses the same encryption as the Ryuk that does append .ryk to the files.

An encrypted file would follow the below pattern (example of a word document):


Common Ryuk Ransomware Email Accounts:

Ransomware distributors often change their email accounts for every attack, though some groups keep them consistent. The groups tend to have preferences for the email and VPN service they use. Some use common services like Gmail or AOL, while others use encrypted email services such as ProtonMail or Tutanota.  The vast majority of Ryuk groups use encrypted email services and change their email for every attack.

How Ryuk Ransomware is Distributed

The top attack vector for Dharma ransomware is via Remote Desktop Protocol ports or RDP. RDP a port that is commonly used for employees or services providers to access a network remotely. RDP access sidesteps endpoint protection, making lateral proliferation between endpoints, partitioned networks, and backup systems much easier to accomplish.

Attackers can breach RDP via a few different methods:

  • By using port scanning via websites like Shodan and then subsequently brute-forcing RDP sessions until credentials are compromised.

  • Purchasing and using brute-forced credentials for sale on sites like XDedic.

  • Phishing an employee of the company to gain access and control of their machine. Then using that access to brute-force RDP access from inside the network.

There are tens of thousands of corporate RDP credentials available for sale for as little as $3 on dark web marketplaces. The wide availability of hacked RDP credentials is a low-hanging fruit for cybercriminals looking to launch ransomware attacks.

While plenty of large organizations continue to leave this vector unsecured, smaller companies are equally complacent. Most assume they are too small to be targeted and don’t appreciate just how easily targeted they are. Many also lack the resources, people or knowledge of how to properly secure access.

Ryuk ransomware primarily infects mid to large organizations that are financially stable and rely on their networks for day to day operations. Attackers target these organizations directly through phishing attempts as large employee counts make these companies more susceptible to email related threats. Recently, Ryuk has been distributed specifically through Emotet and/or TrickBot malware. The premeditated attack is tailored from target to target and only the essential files are encrypted, which differs from other forms of ransomware that attempt to strike numerous networks in entirety, simultaneously.

How Does Ryuk Ransomware Encrypt Files

Ryuk uses a three-tier trust encryption model. The first tier / foundation is the global RSA key pair held by the attackers. The private key from this key pair is not available to the victim until a decryptor is purchased.  The second tier is a per-victim RSA keypair. Most types of ransomware would generate this keypair during the encryption process, and encrypt the resulting private key using the higher-tier global key. With Ryuk, the ransomware arrives with the keypair pre-installed and the private key pre-encrypted. The third tier is a standard AES symmetric encryption key generated for each victim file using the Win32API function CryptGenKey. This key is then exported using CryptExportKey, encrypted using the second-tier key, and the encrypted result appended to the encrypted file.

How to Remove Ryuk Ransomware Executable Files

It is strongly recommended that any machine that becomes encrypted be completely reformatted to ensure that both the ransomware executable and, more importantly, any other malware is removed in the process. The ransomware executable is typically easy for anti-virus to find and remove. Malware that assisted in the ransomware arriving on the machine and which can do longer term damage is often harder to detect. Accordingly, a full wipe and replace process should be run on any machine that becomes encrypted with Ryuk Ransomware.

How to Use The Ryuk Decryptor Tool

(Please note that the below is just an example and not a guide or guarantee that should be relied on in any way. Ransomware variants and their decryptors evolve weekly and this example may be obsolete or conflict with instructions a hacker provides. Please, see our Terms of Service for further disclaimer).

The Ryuk decryptor is unreliable and riddled with errors that reside within the code. These issues make the victims’ user experience running decryption very challenging and time consuming. Some of the most prominent issues are:

  • Windows file path spaces: If there is a space in the Windows file path, the decryptor will fail the decryption process.

  • Quotation “ marks in file path: If there is a quotation mark (“) in the file path the decryptor will report an error that it cannot find the specific file.

  • Windows Version function: The decryptor uses the “GetVersionExW” function to determine the Windows version, for Windows 8.1. The value returned by this API has changed and the decryptor isn’t designed to handle this value.

  • .Ryk extension removal: The decryptor doesn’t remove the .ryk extension and replace it with the original extension. Since there is no way to determine the original file type based just on the file name, it can be extremely labor intensive for enterprise victims to fully rename and restore their files.

Infinite loop in manual mode: When choosing the manual option in the decryptor, the user has to supply a path of the specific file or choose “0” to finish. However, choosing a “0” will put the decryptor into an infinite loop.

Running the Ryuk Decryptor

For a complete guide on the Ryuk Decryptor tool, please see our Ryuk Decryption Guide.


Ryuk Ransomware Frequently Asked Questions

1. Are there free Ryuk decryption tools?

The majority of active Ryuk ransomware variants can not be decrypted by any free tool or software. If you submit a file example to us, we will have a look for free and let you know. There are also good free websites that you can upload a sample file to and independently check. You should NOT pay a data recovery firm or any other service provider to research your file encryption. They will use the same free resources noted above… so don’t waste your money or time!

2. How did I get infected with Ryuk ransomware?

Most Ryuk ransomware is laid directly by a hacker that has accessed an unprotected RDP port, utilized email phishing to remote into a network via an employee’s computer, or utilized malicious attachments, downloads, application patch exploits or vulnerabilities to gain access to a network.

3. What are recent Ryuk ransomware file extensions?


Example Ryuk ransom notice .txt file

4. What does a Ryuk ransom notice look like?

Ryuk ransomware hackers will leave a readme file notice behind that will be prominent and easy to find. It commonly looks like like the image to the right.

Note: We do not advise that any person or company contact a hacker and negotiate directly. Cyber criminals can be difficult to communicate with. Let a professional assist you.



You will need to provide information from both the ransom notice and a sample encrypted file. We will schedule a call to discuss the severity of the attack, the operability of your company and the likely timeline / cost of recovering from the attack. You will also need to provide identifying information on your company, and an authorized representative of your company.


You are already being extorted; we don’t think you deserve to pay another large fee. Coveware charges flat daily service fees that vary based on the complexity of your case. We do not charge spreads of fees tied to the size of the ransom amount. Our fees will never be even close to the amount of the ransom demanded by the cyber criminal, and you should be skeptical of why any other service provider would charge a fee that high.


You should be extremely skeptical of any data recovery firm that claims they can decrypt ransomware. Typically they are just paying the cyber criminal without your knowledge and pocketing the difference between the ransom amount and what they will charge you. Know the facts before you engage. If the ransomware IS decryptable, the tool can be found for free. If not, purchasing a key from the cyber criminal is the only way to unlock your files. While Coveware does not condone paying cyber criminals, we recognize it is often the only choice if backups are not available or have become compromised as well. If that is the case, you deserve an honest, transparent experience.


There is no guarantee that paying the ransom will result in a working decryption tool being delivered. However, Coveware believes that data aggregation can help customers make the most informed data-driven decisions. Since we handle lots of cases of the same ransomware types, we are able to share our experiences and help customers decide how to proceed.


If the ransomware payment is successful, a decryption tool & key is provided by the hacker that can be used to manually decrypt your files.


There are some common security mis-configurations that lead to a ransomware attack. We can share some tips and resources for preventing future attacks, but encourage companies to perform a full forensic review or security assessment as soon as possible. Consistent investment in security IT is the best antidote to preventing future attacks.









Ransomware RecoveryServices


RANSOMWARE RECOVERY PLAN: Provide some information on the severity of the attack, operability of your company and budget/ time and we'll chart you a set of options using our database of similar cases.

SETTLEMENT & RECOVERY: Coveware has access to a ready supply of any crypto currency, and offers a 15 minute disbursement service level agreement. We also support the decryption / data recovery process.

RANSOMWARE ASSESSMENT: Provide a few details from the ransom notice and an example encrypted file and we will provide context into the severity of the attack and your options for decryption and recovery. This is free.

HACKER NEGOTIATIONS: We have deep experience communicating and negotiating with hackers. Its what we do all day long! Take advantage of our experience and allow us to shoulder this burden.



"Remediating a ransomware incident for a current or prospective client is stressful. The future of the client relationship, and sometimes the operability of the client's business are at stake. It is a lot of pressure for a managed service provider to take on, especially as downtime mounts. Coveware's solution shoulders a lot of that burden, dramatically improving the experience, and most importantly shrinking the time to recover."

- Adam Wipp, Helm MSP