A new ransomware campaign in the wild,Ryuk!!

  • 21

Recently, Quick Heal Security Labs observed a new destructive ransomware named ‘Ryuk. Ransomware’. This ransomware campaign has already affected many users worldwide and seems to be a spear phishing attack. The compelling thing, it encrypts victim files without appending any extension but making files unreadable.

Ryuk uses robust military algorithms such as ‘RSA4096’ and ‘AES-256’ to encrypt files. We have seen that the infection vector of this ransomware is exploit kits and spam emails. This ransomware demands a ransom ranging from 15 BTC to 50 BTC in the form of Bitcoin to decrypt the files.

Technical Analysis:

After execution of the mother file, it dropped following files

C:\Users\Public\public Used to hold RSA public key.
C:\Users\Public\ UNIQUE_ID_DO_NOT_REMOVE Used to hold hardcoded key.
C:\Users\Public\windows.bat Used to delete shadow volumes and backup files.

Fig 1: Batch file containing the commands to delete the shadow copies and backup files.

The next step is that it executes taskkill and net commands to kill more than 40 processes and terminates around 180 majorly required services in the machine. Following snippets shows the details

Fig 2: Execution of taskkill to kill processes

Fig 3: Execution of net to terminate services

From further analysis, we have found that the terminated processes and services are mainly associated with the database, antivirus, backup and document editing software.

Following snippet shows some of the processes and services it kills.

Fig 4: List of killed processes and services

The Ryuk Ransomware uses below command to create run registry to gain persistence even after the system is restarted as shown in the below snippet

Fig 5: Registry entry created at Run

From the analysis, Ryuk is found to be performing memory code injection. For this, it uses ‘openprocessto get the handle on target process and using ‘VirtualAllocEx’, it creates buffer inside its address space.

The allocated memory size is of the same size of malware image. It then writes into the allocated memory using ‘WriteProcessMemory’ API and creates a Remote thread into the targeted virtual address space using ‘CreateRemoteThread’ API.

Following IDA pro snippet shows us the code flow used to perform memory injection.

Fig 6: code flow used to perform memory injection

Ryuk ransomware encrypts each local drive except the locations which are hardcoded in it. this white list includes ‘Windows’, ‘Mozilla’, ‘Chrome’, ‘RecycleBin’ etc.

It also tries to encrypt shared systems on the network.

It had dropped two ransom notes, one is short and the other is in depth as shown below

Fig 7: Ransom Note in depth

How Quick Heal protects its users from the Ryuk Ransomware

Quick Heal successfully blocks Ryuk ransomware with the following protection layers:

  1. Virus Protection
  2. Behavior-based Detection
  3. Anti-Ransomware

Fig 8: Behavior Detection

Fig 9: Anti-Ransomware Module

How to stay safe from ransomware attacks:

  • Always take a backup of your important data in external drives like HDD and pen drives. Consider using a reliable Cloud service to store the data.
  • Do not install any freeware or cracked versions of any software.
  • Do not open any advertisement pages shown on websites without knowing that they are genuine.
  • Disable macros while using MS Office.
  • Update your antivirus to protect your system from unknown threats.
  • Do not click on links or download attachments in emails from unexpected, unknown or unwanted sources.

Indicators of compromise:


Subject matter experts: –

Shashikala Halagond, Priyanka Dhasade, Poonam Dongare | Quick Heal Security Labs

Shriram Munde

Shriram Munde

1 Comment

Your email address will not be published.


  1. Avatar kanishk raj pandeySeptember 2, 2018 at 3:53 AM

    Great Shriram, nice one.