Remove Ryuk Virus — Delete Active Infections and Restore Data

Remove Ryuk Virus — Delete Active Infections and Restore Data

Ryuk Virus image ransomware note Encrypted extension

The Ryuk virus is a newly discovered threat that is a descendant of the Hermes ransomware family. Its modular framework allows the criminals behind it to make custom versions against specific targets. Our article provides an overview of the virus operations and it also may be helpful in attempting to remove the virus.

Threat Summary

NameRyuk virus
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts sensitive information on your computer system and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files with a strong encryption algorithm.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Ryuk virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Ryuk virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Ryuk Virus – Update December 2018

December 2018 brings a new variant of this cryptovirus, that keeps calling itself

Ryuk Ransomware and has .RYK extension placed to encrypted files. The ransom note is changed a bit, two files can be decrypted for free. Other changes include lower detection ratio due to the cybercriminals working on ways to decrease detections to a minimum and the wallet address could be given via a PM instead of including it in the note as previous variants.

Ryuk Virus – Distribution Ways

The Ryuk virus is a newly created threat that appears to be an offspring of the Hermes ransomware family. The collected samples appear to be very limited which shows that the ongoing detected attack is merely a test release. The low number of live infiltration attempts signal that the hackers cannot effectively judge which is the preferred method of delivery.

We anticipate that the main methods are going to be used for maximum impact. A preferred way is to take advantage of email phishing messages — customized SPAM messages sent in bulk that feature web elements of famous web companies or services. The usual forms are either password reset reminders, software updates or another common message type. The accompanying Ryuk virus samples can be either attached directly or sent as hyperlinks.

The hackers can also create fake download sites showing that the same strategy can be used in the form of sites. The criminals craft fake download portals or vendor sites which utilize similar sounding names, domains and credentials to the original vendors.

These two methods are also the main ones for spreading infected payloads:

  • Documents — Ryuk virus samples can infect target files via manipulated documents. They can be of different types: rich text documents, presentations, spreadsheets or databases. Once the files are opened a notification prompt appears which will ask the victim users to enable the built-in scripts. If this is done the infection will follow.
  • Software Installers — Software setup files can be created by the criminals in an attempt to coerce the users into thinking that that they are installing a legitimate file. The way they are done is by taking the real files from the vendor download sites and bundling the Ryuk virus code into them. In most cases there is no way of knowing that the setup files carry a malicious threat. The most well-known targets are system utilities, creativity suites and productivity software.

The threat can also be delivered via file sharing networks such as BitTorrent which are primarily used to spread pirate and illegal content.

Advanced infection campaigns can utilize browser hijackers — malicious plugins made for the most popular web browsers. They are frequently uploaded to the relevant software repositories using fake developer credentials and user reviews. The description reads that the plugins offers new functionality and features which are not available in the standard set. The name “hijacker” comes from the fact that once the threats are installed on the victim computers a complex infection pattern will be started. The malicious code will modify the default settings (search engine, new tabs page and home page) to redirect to a hacker-controlled page. Following this the threat will proceed with the Ryuk virus infection.

Ryuk Virus – In-Depth Analysis

The Ryuk virus threat appears to be a new sample belonging to the Hermes ransomware family. The security analysis shows that the hacker or criminal collective behind it have taken the source code of the original threat and modified it to their specifications. Another possibility is that the operators have contacted a criminal developer to create a custom solution.

Like other similar threats the Ryuk virus is based on the modular framework of the main Hermes ransomware enigne. The malicious behavior can begin with the start of a data hijacking module. It is programmed to automatically collect information both about the users and the machines. There are two main types that are usually categorized by the experts:

  • Private User Information — The Ryuk virus can collect data about the user which can be used to expose their identity. The information consists of their name, address, phone number, interests, location and any stored password strings and account credentials.
  • Campaign Optimization Data — The engine can scan the infected host for information that can be used to optimize the attacks — certain user-set settings, operating system values and a report on the installed hardware components.

Following the completion of this module the harvested information can be used by a module called stealth protection. It is used to scan for the availability of security software and operating system services that can interfere with the virus execution or block it. The list of applications include anti-virus programs, virtual machine hosts and sandbox environments.

When the virus infection has access to all system information and protected areas it can proceed with the necessary modifications. A list of the common actions includes the following:

  • Windows Registry — The made modifications can impact the Registry values which in turn can cause certain applications to stop working properly. When the operating system values are compromised overall system performance can suffer.
  • Persistent Installation — The virus infection can be installed as a persistent threat. This means that it will run every time the computer is powered on and it can disable access to the recovery boot menu.
  • Trojan Infection — The Ryuk virus can be programmed into installing a Trojan module which establishes a secure connection to a hacker-controlled server. This action allows the criminal operators to spy on the victims in real time, take over control of their machines and deploy additional threats.

As always the hackers behind the Ryuk virus can implement other customizations and release updates to the initial release.

UPDATE! Malware researchers reported that the August campaign has accumulated over $640 000 in income. Its behavior patterns have been linked to the APT Lazarus group and earlier versions of the Hermes ransomware family. Some of the samples associated with the ongoing attacks have been found to feature non-standard processes. As well as deleting the Shadow snapshots the main infection module will resize the storage space of the associated drive, this will lead to the inability to resort to any restore activities.

Some of the popular professional-grade backup applications will also be affected by it, the installations will be disabled and any attempts at running them will be blocked.

Ryuk Virus — Encryption

The Ryuk virus follows the common mechanism of utilizing a built-in list of target file type extensions. The ransomware module scans the local system and when such a file is accessed it will be encrypted with a strong cipher. A typical example can affect the following data:

  • Archives
  • Backups
  • Databases
  • Music
  • Images
  • Videos

Wen this process is complete a ransomware note with the name RyukReadMe.txt will be crafted. The collected samples feature the following contents:

All files on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted or deleted or backup disks were formatted.
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation
No decryption software is available in the public.
DO NOT RESET OR SHUTDOWN – files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
This may lead to the impossibility of recovery of the certain files.
To get info (decrypt your files) contact us at
[email protected]
[email protected]
BTC wallet:
No system is safe

Remove Ryuk Ransomware Virus and Restore Encrypted Files

If your computer got infected with the Ryuk ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share