RYUK Ransomware and its impact on Europe, Middle East, and Africa

Airgap Networks
4 min readMar 24, 2021
“Living off the Land” Threats and Device Cybersecurity in 2021

Prolific Ryuk ransomware has new tricks up its sleeve — “Worm-like” capabilities. The developers behind the notorious strain of crypto-locking malware have given their attack code the ability to spread itself between systems inside an infected network. (Reference: BankInfoSecurity.com)

“A Ryuk sample with worm-like capabilities — allowing it to spread automatically within networks it infects — was discovered during an incident response handled by ANSSI in early 2021,” according to a Ryuk report issued Thursday by CERT-FR, the French government’s computer emergency readiness team that’s part of the National Cybersecurity Agency of France, or ANSSI.

Specifically, the worm-like behavior is achieved “through the use of scheduled tasks,” via which “the malware propagates itself — machine to machine — within the Windows domain,” CERT-FR says. “Once launched, it will thus spread itself on every reachable machine on which Windows RPC accesses are possible.” Remote procedure calls are a mechanism for Windows processes to communicate with one another.

Ryuk Ransomware launched in August 2018 was an updated version of old ransomware Hermes. Recently, a hike has been noticed in Ryuk ransomware due to its capability of delivering multi-staged attacks. It initiates downtime in organizations demanding them to pay for the launched attack. The email attachments are a medium for initiating these attacks, and cybercriminals can exploit the whole network to a great extent. Cybercriminals encrypt the network’s data and take control over the administrative controls, block the security measures, and delete backups before releasing Ryuk itself. During quarter 2 of 2019, ransomware like Sodinokibi and Ryuk increased to a tremendous extent. All over the Middle East, Europe, and Africa, there has been a 184 percent increase in such attacks. Ryuk targets large enterprises with approximately 3000 employees by launching a Ransome message different from other ransomware such as WannaCry.

Ryuk Ransome Message

When any organization network or computer systems compromised by Ryuk, it displays a message showing the 2 contact emails with the reference key and bitcoin wallet address. Some of the studies refer that Ryuk attack vectors do not need user interaction. Sometimes, they make the user use the application as they are using the legitimate application.

Malicious campaigns

Ryuk ransomware is launched in different phases to activate malicious campaigns. Initially, it starts with a phishing attack to target the organization’s network to identify critical assets, gather key credentials, network extensive mapping, and drop malware in the network. The second phase of attack comprised of multiple stages to conduct the extortion and extended espionage. The third stage of the malicious campaign eventually ends with demanding ransom.

Multi-attack malicious campaign

Trickbot and Emotet combine with the Ryuk ransomware to develop a triple-threat attack methodology. The different stages of this triple attack methodology are as follows:

· A Microsoft Office document file embedded with malicious macro code is sent via a phishing email. As a result of click on the phishing email, embedded malicious macro code executes a PowerShell command to download Emotet.

· Once the Emotet downloaded, it executes Trickbot as a pre-configured remote malicious host. Upon installing both Trickbot and Emotet, threat actors check for the target systems to steal credentials from the critical assets. Further, through the remote desktop protocol, they establish a connection with the target’s live servers to launch Ryuk.


The lack of security awareness programs, privilege escalation, use of RDPs, without session termination, no authentication and password manager, and outdated software installed at endpoints strengthen the Ryuk. Make sure to enable filters which checking attachments in email messages. Also, disable macros to avoid the installation of Emotet and Trickbot.

When dealing with Ransomware like Ryuk strains, the speed of response is critical in managing breach damage. With the volume and variety of critical threats growing every day, shortening incident response time is the new top business imperative. The longer it takes an organization to respond to an incident, the more severe the business impact will be.

Gartner Research on Defend Against and Respond to Ransomware Attacks. … shows that over 90% of ransomware attacks are preventable. … security and risk management leaders can mitigate risk against them. (Reference — Gartner Published 26 December 2019 — ID G00463878)

Older antivirus solutions offer insufficient protection against today’s advanced threats and lack of speed of response. The legacy solution does not provide the capability to show the root cause of damage done. We need to have a new mindset shift.

With enterprises and small businesses employ a single cloud-hosted EDR solution that protects against attacks with automation and EDR agent’s API integration options, Airgap’s Zero Trust Isolation for Endpoint harden the policy enforcement with Zero Trust visibility and control from endpoints and allows the collection, consolidation, and analysis of log and configuration data among EDR tools and Airgap’s Zero Trust Isolation Platform.

Zero Trust Isolation for Endpoint solution helps in fighting against ransomware by combining endpoint monitoring and hardening EDR network firewall capabilities to combat “living off the land” threats. For more information about Airgap’s Zero Trust Isolation for Endpoint, schedule a demo at https://airgap.io

Ransomware threats are growing rapidly. While there are a whole bunch of security companies that are trying to prevent ransomware from getting into your network, Airgap’s “Zero Trust Isolation Platform” protects your organization even if your perimeter is breached or if you have unpatched vulnerable servers inside your data center. Additionally, Airgap’s “Ransomware Kill Switch” is the most potent ransomware response for the IT organization. Airgap can be deployed in minutes without any agents, forklift upgrades, or design changes. The company is founded by highly experienced cybersecurity experts and the solution is trusted by large enterprises and service providers. For more details, check out https://airgap.io



Airgap Networks

Zero Trust Isolation — The Best Defense Against Ransomware Propagation. https://airgap.io