The most sought after ransomware virus, Ryuk has been reported to be found in China. FBI has been aggressively tracking Ryuk since 2018 after it squeezed $640,000 worth bitcoins from corporate accounts within weeks.

As per the Tencent Security report published on July 17th, the ransomware has been detected trying to encrypt the data on infected devices in China. Ryuk ransom virus, that did some serious damage in North America, recently was introduced into the country, and the victims extorted USD worth 115,841 (11 BTC).

In 2018, Ryuk infected devices and demanded a hefty ransom from over 100 government and corporate enterprises in the U.S.  The researchers at Checkpoint issued an alert against Ryuk that had demand aggregated ransom amount of over 15 BTC to 50 BTC. As per the Checkpoint reports of 2018, Ryuk was used for executing highly targeted attacks directed towards local US government organizations. The ransomware BitPaymer was used while for stealing the credential Emotet trojan was used.

As per the Tencent Security team, the analysis of Chinese attack of Ryuk reveals the virus uses RSA + AES for encrypting the files of the user system under attack. Quite some similarity between Ryuk ransom virus and Hermes ransom virus has been observed and that is why the security experts believe Ryuk is a version of Hermes. The protocol of spreading the ransomware is quite similar to Hermes that spreads through botnet and spam methods. If the ransomware happens to attack a machine, it deletes all attack related files and overpowers the antivirus processes.

Tencent Security shared an overview of the attack in which Ryuk blackmail letter “RyukReadme” that opens in the internet browser shows 2 email ids and the ransomware names.  When the team tried to contact the attacker, they were asked to pay a ransom of 11 Bitcoins for the file decryption mechanism.

Early this year in the month of January, Ryuk attacked Tribune Publishing and went ahead with attacking local government organization in Lake City, Florida demanding a ransom worth $460,000. In the next two weeks Riviera Beach, Florida reported the same Ryuk attack for a cost of $600,000.


FBI has been on a lookout for the source of the virus since over a year now. According to the FBI’s analysis, the attacker tries to enter the victim’s network, create a registry presence, enters the files system and starts encryption.  When the FBI and Chinese attack is compared, there seem to be some modifications injected to the Ryuk. The Chinese Ryuk is more evolutionary in nature as it runs simultaneously on 32 and 64-bit blackmail modules.

The Tencent security report does not disclose the number of organizations that have been infected by Ryuk ransomware and neither is it clear how much ransom amount has been demanded.

The research conducted in the month of January 2019 suggested that Ryuk has its roots in Russia and has been developed by the group “GRIM SPIDER” as suggested by McAfee group. Although some security specialist suggests North Korea be a source of the first version of Ryuk.



Share This