Ryuk Ransomware
What is Ryuk Ransomware?
Ryuk RansomwareA targeted ransomware family operated by WIZARD SPIDER from 2018 onward that extracted large ransoms from enterprises, hospitals and local governments via TrickBot intrusions.
Ryuk is a ransomware family first observed in August 2018, derived from the earlier Hermes code and operated by the criminal cluster WIZARD SPIDER. Unlike commodity ransomware, Ryuk was deployed in targeted hands-on-keyboard intrusions, typically after Emotet and TrickBot infections delivered domain-wide access. Operators used Mimikatz, BloodHound, Cobalt Strike and SSH to spread before encrypting servers and workstations. Ransom demands frequently reached millions of dollars in Bitcoin. Notable victims include Universal Health Services, several US hospitals during 2020 and the city of New Orleans. By 2021, much of the Ryuk operation transitioned into the Conti ransomware brand, which inherited tooling and personnel.
● Examples
- 01
A hospital network is encrypted by Ryuk after a TrickBot infection grants Domain Admin access through a single compromised workstation.
- 02
Defenders implement network segmentation and offline backups specifically informed by Ryuk and TrickBot incident reports.
● Frequently asked questions
What is Ryuk Ransomware?
A targeted ransomware family operated by WIZARD SPIDER from 2018 onward that extracted large ransoms from enterprises, hospitals and local governments via TrickBot intrusions. It belongs to the Malware category of cybersecurity.
What does Ryuk Ransomware mean?
A targeted ransomware family operated by WIZARD SPIDER from 2018 onward that extracted large ransoms from enterprises, hospitals and local governments via TrickBot intrusions.
How does Ryuk Ransomware work?
Ryuk is a ransomware family first observed in August 2018, derived from the earlier Hermes code and operated by the criminal cluster WIZARD SPIDER. Unlike commodity ransomware, Ryuk was deployed in targeted hands-on-keyboard intrusions, typically after Emotet and TrickBot infections delivered domain-wide access. Operators used Mimikatz, BloodHound, Cobalt Strike and SSH to spread before encrypting servers and workstations. Ransom demands frequently reached millions of dollars in Bitcoin. Notable victims include Universal Health Services, several US hospitals during 2020 and the city of New Orleans. By 2021, much of the Ryuk operation transitioned into the Conti ransomware brand, which inherited tooling and personnel.
How do you defend against Ryuk Ransomware?
Defences for Ryuk Ransomware typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Ryuk Ransomware?
Common alternative names include: WIZARD SPIDER Ryuk.
● Related terms
- malware№ 900
Ransomware
Malware that encrypts a victim's data or locks systems and demands payment in exchange for restoring access.
- malware№ 1171
TrickBot
A modular banking trojan and post-exploitation framework operated by the WIZARD SPIDER crew that paved the way for Ryuk, Conti and Diavol ransomware.
- malware№ 377
Emotet
A modular banking trojan turned malware-as-a-service loader that delivered ransomware affiliates and was taken down by international law enforcement in January 2021.
- defense-ops№ 193
Cobalt Strike
A commercial adversary-simulation platform widely used for red-team operations and frequently abused by threat actors for post-exploitation and command-and-control.