Malware profile by Svenja Heitmann and Jeremy Bonse
| Virus | Worm | Trojan | Ransomware | Botnet | Other |
|---|---|---|---|---|---|
| ✔️ |
- Year: 2018 [1]
- Author: most likely Wizard Spider (russian hacker group) [1]
- Language: unknown
- Infections: mostly big companies [2]
- Damage: $61 mio in USA [2]
Ryuk is a successor of Hermes 2.1. [1]
A Phishing email is used to install Emotet. Emotet is a malware that allows the installation of further malwares. It then installs Trickbot and Ryuk. Trickbot is a spyware, which is used to find credentials. Ryuk then uses these credentials. [2]
After Ryuk has infected a system, it starts to encrypt almost all of its files. [1]
The strength of Ryuk is that it can encrypt even shadow copies and network drives as well as mounted devices. [2]
The ransomware is often used against big companies e.g. UHS hospital and several newspapers. [2]
It is most likely created by a russian hacker group, since it wont affect a system, if the language is set to Russian, Belarusian or Ukrainian. [3]
The ransome message looks like this:
All files on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted or deleted or backup disks were formatted.
Shadow copies also removed,so F8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation
No decryption software is available in the public.
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT DELETE readme files.
DO NOT RENAME OR MOVE the encrypted and readme files.
This may lead to the impossibility of recovery of the certain files.
To get info (decrypt your files) contact us at
***********@protomail.com
or
***********@tutanota.com
BTC wallet:
***********
Ryuk
No system is safe
[1]