Remova vírus Ryuk - infecções ativas apagar e restaurar dados

Remova vírus Ryuk - infecções ativas apagar e restaurar dados

extensão Ryuk imagem Vírus ransomware nota criptografada

O vírus Ryuk é uma ameaça recém-descoberto que é um descendente da família ransomware Hermes. Sua estrutura modular permite que os criminosos por trás dele para fazer versões personalizadas contra alvos específicos. Nosso artigo fornece uma visão geral das operações de vírus e também pode ser útil na tentativa de remover o vírus.

Resumo ameaça

NomeRyuk virus
Tiporansomware, Cryptovirus
Pequena descriçãoThe ransomware encrypts sensitive information on your computer system and demands a ransom to be paid to allegedly recover them.
Os sintomasO ransomware irá criptografar seus arquivos com um algoritmo de criptografia forte.
distribuição MétodoOs e-mails de spam, Anexos de e-mail
Ferramenta de detecção See If Your System Has Been Affected by Ryuk virus


Remoção de Malware Ferramenta

Experiência de usuárioParticipe do nosso Fórum to Discuss Ryuk virus.
Ferramenta de recuperação de dadosWindows Data Recovery por Stellar Phoenix Aviso prévio! Este produto verifica seus setores de unidade para recuperar arquivos perdidos e não pode recuperar 100% dos arquivos criptografados, mas apenas alguns deles, dependendo da situação e se você tem ou não reformatado a unidade.

Ryuk Virus – Update December 2018

dezembro 2018 brings a new variant of this cryptovirus, that keeps calling itself

Ryuk Ransomware and has .RYK extension placed to encrypted files. The ransom note is changed a bit, two files can be decrypted for free. Other changes include lower detection ratio due to the cybercriminals working on ways to decrease detections to a minimum and the wallet address could be given via a PM instead of including it in the note as previous variants.

Ryuk Virus – Distribution Ways

The Ryuk virus is a newly created threat that appears to be an offspring of the Hermes ransomware family. The collected samples appear to be very limited which shows that the ongoing detected attack is merely a test release. The low number of live infiltration attempts signal that the hackers cannot effectively judge which is the preferred method of delivery.

We anticipate that the main methods are going to be used for maximum impact. A preferred way is to take advantage of enviar e-mail mensagens de phishing — customized SPAM messages sent in bulk that feature web elements of famous web companies or services. The usual forms are either password reset reminders, software updates or another common message type. The accompanying Ryuk virus samples can be either attached directly or sent as hyperlinks.

The hackers can also create sites falsos de download showing that the same strategy can be used in the form of sites. The criminals craft fake download portals or vendor sites which utilize similar sounding names, domains and credentials to the original vendors.

These two methods are also the main ones for spreading payloads infectados:

  • documentos — Ryuk virus samples can infect target files via manipulated documents. Eles podem ser de diferentes tipos: documentos de texto rico, apresentações, spreadsheets or databases. Once the files are opened a notification prompt appears which will ask the victim users to enable the built-in scripts. Se isso for feito a infecção vai seguir.
  • instaladores de software — Software setup files can be created by the criminals in an attempt to coerce the users into thinking that that they are installing a legitimate file. The way they are done is by taking the real files from the vendor download sites and bundling the Ryuk virus code into them. In most cases there is no way of knowing that the setup files carry a malicious threat. The most well-known targets are system utilities, creativity suites and productivity software.

The threat can also be delivered via redes de compartilhamento de arquivos such as BitTorrent which are primarily used to spread pirate and illegal content.

Advanced infection campaigns can utilize seqüestradores de navegador - plugins maliciosos feitos para a maioria dos browsers populares. They are frequently uploaded to the relevant software repositories using fake developer credentials and user reviews. The description reads that the plugins offers new functionality and features which are not available in the standard set. O nome “Sequestrador” comes from the fact that once the threats are installed on the victim computers a complex infection pattern will be started. The malicious code will modify the default settings (mecanismo de busca, nova página guias e home page) to redirect to a hacker-controlled page. Following this the threat will proceed with the Ryuk virus infection.

Ryuk Virus – In-Depth Analysis

The Ryuk virus threat appears to be a new sample belonging to the Hermes ransomware family. The security analysis shows that the hacker or criminal collective behind it have taken the source code of the original threat and modified it to their specifications. Another possibility is that the operators have contacted a criminal developer to create a custom solution.

Like other similar threats the Ryuk virus is based on the modular framework of the main Hermes ransomware enigne. The malicious behavior can begin with the start of a data hijacking módulo. It is programmed to automatically collect information both about the users and the machines. There are two main types that are usually categorized by the experts:

  • Informações sobre o usuário privado — The Ryuk virus can collect data about the user which can be used to expose their identity. The information consists of their name, endereço, número de telefone, interesses, location and any stored password strings and account credentials.
  • Campaign Optimization Data — The engine can scan the infected host for information that can be used to optimize the attacks — certain user-set settings, operating system values and a report on the installed hardware components.

Following the completion of this module the harvested information can be used by a module called proteção discrição. It is used to scan for the availability of security software and operating system services that can interfere with the virus execution or block it. The list of applications include anti-virus programs, Máquina Virtual hosts e ambientes sandbox.

When the virus infection has access to all system information and protected areas it can proceed with the necessary modifications. A list of the common actions includes the following:

  • Registro do Windows — The made modifications can impact the Registry values which in turn can cause certain applications to stop working properly. When the operating system values are compromised overall system performance can suffer.
  • Instalação persistente — The virus infection can be installed as a persistent threat. This means that it will run every time the computer is powered on and it can disable access to the recovery boot menu.
  • Trojan Infection — The Ryuk virus can be programmed into installing a Trojan module which establishes a secure connection to a hacker-controlled server. This action allows the criminal operators to spy on the victims in real time, take over control of their machines and deploy additional threats.

As always the hackers behind the Ryuk virus can implement other customizations and release updates to the initial release.

ATUALIZAR! Malware researchers reported that the August campaign has accumulated over $640 000 in income. Its behavior patterns have been linked to the APT Lazarus group and earlier versions of the Hermes ransomware family. Some of the samples associated with the ongoing attacks have been found to feature non-standard processes. As well as deleting the Shadow snapshots the main infection module will resize the storage space of the associated drive, this will lead to the inability to resort to any restore activities.

Some of the popular professional-grade backup applications will also be affected by it, the installations will be disabled and any attempts at running them will be blocked.

Ryuk Virus — Encryption

The Ryuk virus follows the common mechanism of utilizing a built-in list of target file type extensions. The ransomware module scans the local system and when such a file is accessed it will be encrypted with a strong cipher. A typical example can affect the following data:

  • arquivo
  • backups
  • Bases de dados
  • Música
  • imagens
  • vídeos

Wen this process is complete a ransomware note with the name RyukReadMe.txt will be crafted. The collected samples feature the following contents:

Todos os arquivos em cada host na rede foram criptografadas com um algoritmo forte.
Backups ou foram criptografados ou excluído ou discos de backup foram formatados.
As cópias de sombra também removido, assim F8 ou quaisquer outros métodos podem danificar os dados criptografados, mas não recuperar.
Nós exclusivamente têm software de decodificação para a sua situação
Nenhum software de decodificação está disponível no público.
Não reinicie ou desligamento – arquivos podem ser danificados.
Não renomear ou mover os arquivos criptografados e leia-me.
arquivos leia-me não exclui DO.
Isso pode levar à impossibilidade de recuperação dos determinados arquivos.
Para obter informações (decifrar seus arquivos) contacte-nos em
BTC carteira:
Nenhum sistema é seguro

Remove Ryuk Ransomware Virus and Restore Encrypted Files

Se o seu computador foi infectado com o Ryuk vírus ransomware, você deve ter um pouco de experiência na remoção de malware. Você deve se livrar deste ransomware o mais rápido possível antes que ele possa ter a chance de se espalhar ainda mais e infectar outros computadores. Você deve remover o ransomware e siga o passo-a-passo guia de instruções fornecido abaixo.


Martin Beltov

Martin formou-se na publicação da Universidade de Sofia. Como a segurança cibernética entusiasta ele gosta de escrever sobre as ameaças mais recentes e mecanismos de invasão.

mais Posts - Local na rede Internet

Me siga:
TwitterGoogle Plus

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Compartilhar no Twitter chilrear
Compartilhar no Google Plus Compartilhar
Partilhar no Linkedin Compartilhar
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Partilhar no StumbleUpon Compartilhar