How to Protect Your Business From Ryuk Ransomware

Ryuk ransomware is sophisticated malware targeting businesses. It blocks access to critical data, holding it for ransom. Learn about Ryuk and how to protect your organization from this cyber threat.

We may receive compensation from partners and advertisers whose products appear here. Compensation may impact where products are placed on our site, but editorial opinions, scores, and reviews are independent from, and never influenced by, any advertiser or partner.

The threat of computer viruses and other malware is on the rise. The ransomware called Ryuk is one of the most widely-used among cybercriminals. It accounted for over a third of all ransomware attacks through the first three quarters of 2020.

Ryuk’s use among cybercriminals is only accelerating. This increases the chance computers, servers, and other devices on your IT network (called endpoints by IT professionals) will fall victim to it.

Ryuk’s popularity among criminals makes sense. It’s one of the deadliest, most effective forms of ransomware. Only the best endpoint security software has a chance of stopping it before damage occurs.

Concrete actions exist to protect your business from Ryuk ransomware. Let’s first understand Ryuk and how it operates. Then we’ll examine how to defend against it.

Overview: What is Ryuk ransomware?

Ryuk malware exists for one purpose: to encrypt your organization’s most important data. It uses an advanced, three-tier encryption process, making it impossible for you to access your data without paying a ransom.

The ransom itself is staggering. A typical ransom amount ranges from $100,000 to $600,000 according to the Center for Internet Security. Criminals demand payment in Bitcoin cryptocurrency.

Ryuk is a particularly nefarious type of ransomware for several reasons.

  • It disables your antivirus protections to operate unhindered.
  • It attempts to infect as many computers and servers across your organization as possible.
  • It can infect your backup data to eliminate your remediation options. So if you think you can perform a system restore to get your data back through shadow copies (the Windows technology used to create backups and snapshots of your files), it won’t work.
A chart compares the volume of Ryuk ransomware attacks between 2019 and 2020 with the latter showing a huge increase over 2019.

The number of Ryuk attacks exploded in 2020. Source:

Who is behind RYUK ransomware?

Understanding Ryuk’s behavior and code points us to the cyber threat actors (CTAs) behind it. Ryuk’s code structure is similar to Hermes ransomware. Cybersecurity experts originally thought Ryuk had ties to the Lazarus Group, the CTAs based in North Korea who developed Hermes.

Cybersecurity professionals now attribute Ryuk’s origin to two Russian CTAs: Wizard Spider and CryptoTech. Wizard Spider operates TrickBot, a Trojan that evolved to support multiple criminal uses including delivery of Ryuk ransomware. CryptoTech claimed to have upgraded Hermes into Ryuk.

How does Ryuk ransomware spread?

Delivery of the Ryuk virus involves other types of malware. It often uses TrickBot, the Emotet Trojan-turned-bot malware, or both, to take control of your computer, disable your antivirus, and download Ryuk.

The attack typically begins with an innocuous email. The email contains an attachment that appears to come from a customer, your bank, or other trusted source.

When the employee opens the attachment, a series of computer commands activates, infecting your machine. Ryuk then immediately infects other endpoints across your IT environment.

In this way, valuable business data undergoes encryption wherever it’s stored on your network. The criminals leave a ransom note alongside the encrypted files detailing their demands. Some even include a video tutorial on how to buy Bitcoin and send the ransom.

Ryuk infections involve several steps to infect your IT network.

Ryuk uses a sophisticated multi-step process to infect your files. Source:


How to protect your business from Ryuk ransomware

Protecting your business from Ryuk and other cyber threats, such as Spider malware, requires a multi-layered security approach. This involves implementing all the items on the list below.

1. Use 3-2-1 or other data backup models

The best way to thwart Ryuk and other ransomware is to maintain up-to-date backups of your data. This should already be happening, but the key is to use a time-tested model that prevents Ryuk from getting to those backups.

A popular approach is the 3-2-1 strategy.

  • Three: You create at least three copies of your data. The first is your original data, and the others are copies.
  • Two: Save these copies onto two storage media. This redundancy ensures if one storage device encounters an attack or is otherwise damaged, you’ve still got the data elsewhere. For example, you can store data on a NAS (network-attached storage), SSD (solid-state drive), or traditional tape media. If you don’t have much data, you can even use a CD.
  • One: One backup copy must live in a secure, off-site location. Isolate this location from your IT network as further protection from Ryuk infecting these backups. Many businesses today use a cloud storage solution such as Box.

You can modify the 3-2-1 approach to fit the specific needs of your business. Other models can also increase your data protection.

Backing up your data to multiple off-site locations is ideal, making a 3-2-2 strategy a stronger model. This could involve one cloud-based storage option and an off-site space geographically separate from your business location. Or for even stronger security, you could use a 3-2-3 model where you store data with two cloud vendors and in a third, off-site location.

The standard 3-2-1 model involves three copies of data, two media storage types, and one off-site data storage location.

The popular 3-2-1 data backup model protects your data. Source:

2. Keep IT systems updated

Technology vendors routinely provide updates to their products to patch them against new cyber threats. Reduce your IT network’s susceptibility to Ryuk and other malware by implementing these updates. This includes hardware such as routers and modems.

Most software offers a process that automatically checks for updates online, and it performs the update for you. This may not necessarily be the case for your hardware.

Charter Communications supplies a free modem with my internet service, but they’re not responsible for patching and updating it. In these situations, your business may need to buy your own modem to take control of your security.

3. Disable macros

Macros are small programs used to automate repetitive tasks. Microsoft Office software uses macros throughout its products.

Criminals exploit these macros to run commands that take over your computer. It’s a common tactic used in Ryuk ransomware attacks.

Most staff don’t require macros to do their jobs. It’s safer to disable these macros by default, and Microsoft provides settings to do so.

4. Educate staff

Cybercriminals prey on unsuspecting victims. Raise awareness and educate your team on how to avoid dangers such as Ryuk.

These online habits increase your organization’s safety dramatically.

  • Email is the most frequently-used medium for delivering malware. Never open an email from a source you don’t recognize. Delete these emails immediately.
  • Cybercriminals try to trick you. They send emails that seemingly come from a customer, a familiar source such as your bank, or even a co-worker whose computer was infected. If you receive an email appearing to come from a trusted source, but you didn’t expect it or it’s threatening dire consequences if you don’t click its links or open attachments, it’s probably a ploy. Verify with the sender it’s a legitimate email.
  • Download software only from official sources. Avoid any free software offer from an unfamiliar brand. This free software often comes with malware hidden in it.
  • Simply visiting a website can infect your device. Many websites download images and other files for you to view. In this process, a site can infect your computer. To protect against this, keep browser software updated to the latest version. Also, avoid suspicious, questionable, or unfamiliar websites.
  • Cybercriminals copy official websites to trick you. What looks like your bank’s website may be a fake, and your credentials are stolen when you attempt to log in. In this way, criminals obtain the logins needed to circumvent antivirus protection and access your sensitive data. To avoid this, type a site’s URL directly into your browser rather than click a link, especially one in an email.

Even in companies with a security operations center (SOC), it’s often assumed people understand how to protect themselves from cyber threats. But many can’t keep up with the constant evolution of criminal tactics, so ongoing education is necessary.

5. Use endpoint security software

It’s generally accepted that every computing device requires endpoint protection. Whether it’s a laptop, server, or mobile phone, every endpoint is a potential doorway for criminals.

If you’re a freelancer or solo entrepreneur with a home-based business, you can usually get by with the Microsoft antivirus preinstalled on Windows computers. Microsoft dramatically improved its antivirus software to include artificial intelligence and other advanced threat protection capabilities.

Larger companies require more robust endpoint security. Software such as the CrowdStrike Falcon platform can proactively detect Ryuk behavior and stop it before it infects your network.

Endpoint security software is an effective way to ensure all hardware and software across the organization stays updated with the latest patches. It highlights areas of vulnerability to address. Endpoint security also proactively blocks suspicious emails and websites, stopping an attack from reaching unsuspecting staff.

Frequently Asked Questions for Ryuk Ransomware

How can you tell if Ryuk ransomware is present?

Criminals leave copies of their ransom notes in folders throughout your IT network. The note is usually a text file titled RyukReadMe.txt. A variant involves the ransom note as an HTML file titled RyukReadMe.html.

You’ll also suddenly find several encrypted files with filenames ending with the ".RYK" extension. For instance, a file called "financials.xlsx" will change to "financials.xlsx.RYK" after encryption.

What happens if you pay the ransom?

Security experts warn not to pay the ransom, and they’re right. Criminals used Ryuk to target healthcare organizations, particularly hospitals, amidst the coronavirus pandemic. They don’t care if you regain access to your files even after payment.

If you pay and are fortunate enough to receive the decryption key required to recover your data, the process to decrypt files isn’t easy. You’ll need technical expertise.

Also, you may experience data loss anyway. It’s possible your database became corrupted during the initial encryption process, but you won’t know until you’ve paid the ransom and decrypted the data.

Can you decrypt Ryuk-encrypted files without paying the ransom?

No free software tool can decrypt files that fall victim to Ryuk. Even with professional help, depending on the Ryuk variant and sophistication of the criminals launching the attack, it may be impossible to decrypt infected files by any means without the decryption key.

Still, if you’re attacked by Ryuk or other ransomware, it’s worth trying to recover your files without paying the attackers. Check out the No More Ransom Project, developed by law enforcement together with Kaspersky and McAfee, to get help.

Final advice to protect against Ryuk ransomware

You can’t always prevent cyberattacks. Preparation is your best defense against cyber threats. With backups safely stored off-site, if Ryuk strikes, you can focus on clearing the infection rather than worrying about your data.

Be aware that a Ryuk attack can hide additional undetected malware on your system while you focus on Ryuk remediation. Take time to carefully vet your IT network before attempting to restore your data.

Endpoint security software is key. Look for capabilities such as threat hunting to ensure your systems are virus-free.

This holistic approach to IT security ensures your organization is well-positioned to weather the threats lurking in cyberspace.

The Ultimate Guide to Building Virtual Teams

Knowing how to build a strong virtual team is more important today than ever -- and there are six critical things you must do to succeed. That's why we've created this ultra-timely 19-page report on what you should be doing now to set your virtual team up to win.

Enter your email below to access our (no-strings-attached) free report, "The Ultimate SMB Guide to Building High-Performing Virtual Teams."

The Motley Fool has a Disclosure Policy. The Author and/or The Motley Fool may have an interest in companies mentioned.