Under Attack? Breach Response Hotline: Call

Day 1: Ryuk Ransomware

Common Attack Vectors

  • Remote Desktop Protocol access (RDP)
  • Email Phishing

Vulnerabilities Exploited

  • Windows MSHTML
  • Zerologon
  • Application patch exploits

Industries Targeted Frequently


Threat actors target manufacturing facilities to disrupt product distribution.


Threat actors target healthcare industries to steal patients' names, financial records, social security numbers, and other personal information.

Technology Companies

Threat actors target technology companies stealing sensitive data, encrypting network files, demanding ransoms, and intellectual property.

Recent Activity

The National Cybersecurity Agency of France computer emergency readiness team discovered a Ryuk variant with worm-like capabilities that can spread itself from system to system within a Windows domain.

Liege, Belgium’s third largest city and a major educational city, was hit by a ransomware attack disrupting IT services and network.

Common File Extensions



Known Alias

  • Hermes

How Ryuk Ransomware is Distributed

The Ryuk ransomware development and implementation of tactics, techniques, and procedures can vary depending on the incidents. Ryuk ransomware is distributed using Emotet and/or TrickBot malware, but has built in the ability to begin distributing itself. It doesn’t have to rely on other tools and will query itself to the network.

Ryuk is installed and executed using a banking trojan to infect a target machine. Ryuk payload is downloaded and executed after the banking trojan collected admin login information and moved through the target network. The banking trojan can be a result of a spear-phishing campaign or other vulnerabilities that are difficult to detect. Mid to large organizations that rely on their networks for day to day operations and are financially stable are infected by the Ryuk ransomware. Attackers use phishing attempts to target organizations with a large number of employees which make companies more susceptible to email-related threats. 

SpearTip’s analysis on the malware determined the Ryuk payload utilizes “icacls.exe” to modify permissions of files “icacls ‘C:\*’ /grant Everyon:F /T /C /Q’ and “icacls ‘D:\*’ /grant Everyone:F /T /C /Q’ allowing it to encrypt files and folders it may not have had access to initially. The Ryuk payload contained the ability to self-replicate to other machines on the network. The payload utilized a Wake-On-Lan feature to communicate with other machines on the network utilizing the local ARP cache. 

Following this activity, the payload opens and mounts to network shares to allow an additional mechanism to spread its malicious payload to other machines. SpearTip was able to recover additional information in regards to the Ryuk payload identifying the location of where to drop other executables ‘C$:\Users\Public”. Embedded within the analyzed executable was the ransom note, which was named “RyukReadMe.html”.

In the most recent case observed by our investigative team, they used a backdoor socks.exe (SystemBC), which talked to an IP communicating with Linode hosted server to maintain persistence and came through an email. 


SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Centers, ready to assist partners with security issues immediately.

Translate »

Total Economic Impact™ Of SpearTip ShadowSpear