Ryuk
High ConfidenceHigh ThreatWIZARD SPIDER • GRIM SPIDER • UNC1878 • TEMP.MixMaster • FIN12 • GOLD BLACKBURN +2 more
Ryuk is a highly potent ransomware operated by the Russia-based eCrime group known as WIZARD SPIDER. First observed in August 2018, Ryuk quickly gained notoriety for its use in 'big game hunting' (BGH) campaigns, which involve targeting large, high-value enterprise organizations to demand substantial ransom payments. The ransomware is not typically used for initial compromise but is rather deployed as a final-stage payload after the attackers have already infiltrated the network, conducted reconnaissance, and escalated privileges. The initial access is often gained through other malware families, most notably TrickBot and Emotet, which are delivered via phishing campaigns. Derived from the Hermes ransomware source code, Ryuk has been continuously developed and refined by its operators. It employs a combination of AES-256 and RSA-4096 encryption to render files inaccessible, and it has the capability to encrypt network shares and wake remote machines to maximize its impact. WIZARD SPIDER, the group behind Ryuk, is a sophisticated and well-resourced criminal enterprise also responsible for the TrickBot banking trojan. Their operations demonstrate a clear shift from earlier, less-targeted financial fraud to highly focused and lucrative ransomware attacks. The group uses a wide array of tools and techniques for lateral movement and persistence, including PowerShell Empire, Cobalt Strike, and legitimate tools like RDP and PsExec, making their intrusions difficult to detect and remediate.
Ryuk is a highly potent ransomware operated by the Russia-based eCrime group known as WIZARD SPIDER. First observed in August 2018, Ryuk quickly gained notoriety for its use in 'big game hunting' (BGH) campaigns, which involve targeting large, high-value enterprise organizations to demand substantial ransom payments. The ransomware is not typically used for initial compromise but is rather deployed as a final-stage payload after the attackers have already infiltrated the network, conducted reconnaissance, and escalated privileges. The initial access is often gained through other malware families, most notably TrickBot and Emotet, which are delivered via phishing campaigns. Derived from the Hermes ransomware source code, Ryuk has been continuously developed and refined by its operators. It employs a combination of AES-256 and RSA-4096 encryption to render files inaccessible, and it has the capability to encrypt network shares and wake remote machines to maximize its impact. WIZARD SPIDER, the group behind Ryuk, is a sophisticated and well-resourced criminal enterprise also responsible for the TrickBot banking trojan. Their operations demonstrate a clear shift from earlier, less-targeted financial fraud to highly focused and lucrative ransomware attacks. The group uses a wide array of tools and techniques for lateral movement and persistence, including PowerShell Empire, Cobalt Strike, and legitimate tools like RDP and PsExec, making their intrusions difficult to detect and remediate.
Target Sectors
Target Regions
Attributed to Criminal Organization (Russia). Attribution confidence: High.
Future Outlook
Ryuk is expected to continue operations targeting Healthcare.
First observed activity
Ongoing operations