top of page

Ryuk Ransomware Removal

Ryuk is a type of crypto-ransomware that uses encryption to block access to a system, device, or file until a ransom is paid. Ryuk is often dropped on a system by other malware, most notably TrickBot, (featured in last quarter's Threat of the Quarter) or gains access to a system via Remote Desktop Services.


What is Ryuk Ransomware?

Ryuk first became known in 2018 and is Russian in Origin.  It is thought to have been created by Russian criminal organizations and not the Russian government.  It is the same criminal organization behind TrickBot.  


Ryuk ransomware tends to remain dormant and undetected for a period of time while the actor explores the network and identifies critical systems and other internal targets.   This is a key time when Ryuk can be detected and potentially removed before it completes it's attack on the network.

Ryuk enters a system through other malware, Emotet and Trickbot in particular.  It has been reported that after an initial infection the attacker will assess whether the machine or network presents a good opportunity and if it does, Ryuk is deployed.  This infection chain is just one example, Ryuk could be deployed through other ones as well.  Once in, Ryuk will encrypt all non-executable files in the system and rename them with the .ryk extension.  You will find a ransom note in each folder, usually with the name "RyukReadMe".

Contact us right away if you think you have been compromised by Ryuk or other ransomware.

bottom of page