Ryuk Ransomware: Origins, Operation Mode, Mitigation

What is Ryuk Ransomware?

Widely known for targeting governments, academia, healthcare, manufacturing, and technology organizations’ cybersystems, Ryuk is a ransomware-as-a-service (RaaS) group that’s been active since August 2018. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. The operators behind Ryuk are known for running a private affiliate program where affiliates can submit applications and resumes to apply for membership. By the end of 2020, the operators behind Ryuk netted a total of $150 million.

Ryuk is at the top of the RaaS rankings, having payloads delivered by its affiliates. The gang’s affiliates were attacking approximately 20 companies every week in the last months of 2020, and, beginning with November 2020, they coordinated a massive wave of attacks on the US healthcare system.


According to cybersecurity researchers, Ryuk was developed and is currently operated by the GRIM SPIDER APT (Advanced Persistent Threat group), a splinter group traced back to WIZARD SPIDER, the criminal mastermind behind TrickBot. Russian in origin, GRIM SPIDER embraces WIZARD SPIDER’s big-game hunting ideology, whereas big trophies can be claimed by attacking big targets.

The APT group’s voracity for HVTs has left

Read More: https://heimdalsecurity.com/blog/ryuk-ransomware/