Ryuk is a malicious file developed by the Russian hacker group Grim Spider. The ransomware can spread itself and is designed to attack business environments.

The Russian ransomware Ryuk has affected Spanish consulting companies, town halls, and radio networks. The malware can encrypt computer databases, spread itself and attack business environments. Its creators and spreaders aim at obtaining a few bitcoins, by extorting victims with the release of data from their computers.

On November 4th a ransomware attack affected the consulting company Everis and multinational Prisa Radio. The National Cybersecurity Institute of Spain (INCIBE) does not have a specific figure for the total number of Spanish companies affected by this virus. However, everything indicates that it is a planned attack that can spread easily.

According to CrowdStrike blog researchers, this ransomware was created by a group of Russian hackers known as Grim Spider. The criminals specialize in wire fraud, as well as in attacks to large companies. For this reason, it is a very profitable low-profile malware with specific objectives.

Silent and Highly Profitable

This ransomware, unlike WannaCry and Petya, does not aim at contaminating computers of common users but those of companies. Sergio De Los Santos, the cybersecurity specialist at Eleven Paths, defines it as a business product since hackers’ planned attacks are very difficult to detect.

Hackers do not seek to affect thousands of computers with this ransomware, but a few companies that need their systems to operate. In this sense, minimum payments of 1.5 BTC have been reported to decrypt files and a maximum amount of 99 BTC per company. De Los Santos says that the fewer attacks are made and the more vulnerable systems are to the ransomware, the more profitable Ryuk is for hackers.

Ryuk operates very similarly to other ransomware as it can be spread through Trojans hidden in e-mails. Likewise, a new version of the malware can spread itself by using the private networks of companies. To do this, it has a file known as Wake on LAN (WoL) that allows activating computers that receive a remote order, thus expanding more rapidly and quietly.

If the virus manages to penetrate a vulnerable computer, it encrypts the entire database and does not provide the key unless the victim makes the payment. As these are specialized attacks, hackers give their e-mails to negotiate the payment. Hackers also send the password to decrypt the files by e-mail, after verifying that the transaction in Bitcoin has been made.

Bugs and Background

Sergio de Los Santos confirmed that this ransomware attacks the vulnerabilities of remote desktops and terminal servers. It might have leaked on November 4th due to a security breach on certain Microsoft servers, which had not been updated by the companies.

The cybersecurity specialist notes that it is very difficult to decrypt this type of ransomware on its own account, and thus a ransom has to be paid in most cases to avoid the risk to lose valuable data. It is necessary to analyze everything to see what has been stolen, see the consequences and make decisions.

On the other hand, security expert Breet Callow, of Emisoft, explains that new versions of this ransomware may have certain exploitable errors. In certain cases, bugs allow decrypting files without the need for a password. However, the error may also render files irrecoverable and damage them forever.

By Willmen Blanco


Please enter your comment!
Please enter your name here