Understanding Ryuk Ransomware
Ryuk ransomware is a type of malicious software that executes ransomware attacks.
It first emerged in August 2018 and has gained notoriety as one of the most well-known and costly ransomware variants.
Unlike early versions like WannaCry, Ryuk is specifically designed for targeted attacks, requiring individual attention from the cybercriminals operating the malware.
It is commonly employed in tailored campaigns with specific infection vectors and high ransom demands.
Ryuk focuses on quality rather than quantity when selecting its victims.
The infection process typically begins with a targeted attack on the intended victim, followed by file encryption and an extortionate ransom demand by the Ryuk ransomware.
Targeted methods include using customized spear-phishing emails and exploiting compromised credentials to gain remote access to systems via Remote Desktop Protocol (RDP).
Spear-Phishing and Advanced Encryption
A spear-phishing email may contain Ryuk directly or serve as an initial step in a series of infections.
Ryuk employs a combination of encryption algorithms, including the asymmetric AES-256 and the asymmetric RSA 4096 algorithms.
This means that Ryuk encrypts files using the symmetric algorithm and includes a copy of the symmetric encryption key encrypted with the RSA public key.
When the victim pays the ransom, the Ryuk operator provides the corresponding RSA private key, enabling decryption of the symmetric encryption key and subsequent decryption of the encrypted files.