This blog provides a detailed technical analysis of the Ryuk ransomware threat group, known for its targeted and high-impact attacks on large organizations.
By mapping its behavior to the MITRE ATT&CK Enterprise framework, we explore the full attack chain, from initial access via spear-phishing to the use of post-exploitation tools for lateral movement and privilege escalation.
We also examine how Ryuk ransomware leverages advanced encryption techniques and disabling backup services to maximize its impact while minimizing detection. Security professionals can use this analysis to understand its inner workings and improve defenses against similar dual-impact ransomware campaigns.
Ryuk ransomware, first identified in 2018, is a highly targeted strain of ransomware attributed to the Russian cybercriminal group Wizard Spider. It primarily targets large organizations, including healthcare institutions, government entities, and other high-value sectors.
The malware is typically delivered through phishing emails containing malicious attachments or links, often leveraging other malware like Emotet or TrickBot to gain a foothold in the network. Once inside, Ryuk deploys its encryption payload, using a combination of AES-256 and RSA-4096 encryption algorithms to lock files, rendering them inaccessible.
The ransomware appends the .ryk extension to encrypted files and demands a ransom, with payments often reaching millions of dollars. In addition to encryption, Ryuk is known for its destructive tactics, including disabling backup services, deleting shadow copies, and disabling system restore points, making recovery more difficult.
Here is the technical overview of the Ryuk Ransomware threat group mapped to the MITRE ATT&CK Enterprise framework.
Ryuk ransomware uses the Adfind.bat script to gather information about the target network, specifically about its domain structure, systems, and services. This allows the attacker to map out the network and find more vulnerable systems to infect.
Adfind.bat is a tool that helps attackers query Active Directory to identify systems, user accounts, and other important network information. In this case, Ryuk uses it to learn about the target domain and network layout.
Picus simulates this behavior by emulating Ryuk’s use of command-line tools to gather remote system information.
|
#Process |
This command runs the adfind.bat script located in the temporary directory (%TMP%), simulating the action of Ryuk executing the script to discover system information remotely.
|
#Rewind Process |
After the discovery process, the simulated process deletes the adfind.bat file and any related files in the temporary directory to clean up and remove traces, mimicking the attacker’s behavior to avoid detection.
The group gathers information about trusted domains via the Nltest command. This helps the attacker understand the domain trust relationships, aiding lateral movement.
The following command simulates Ryuk utilizing the Nltest utility to enumerate trusted domains within the network, specifically identifying trust relationships between domains to facilitate lateral movement and attack propagation.
|
#Process |
Ryuk ransomware was observed listing domain admins using net utility.
This following command queries the domain controller for a list of accounts within the Domain Admins group. By running this, Picus Platform exposes accounts with high-level privileges, which are prime targets for escalation.
|
net.exe group "Domain admins" /DOMAIN |
Ryuk ransomware uses the nltest utility to discover Domain Controllers (DCs) within the network. This helps the attacker identify key infrastructure for lateral movement and further exploitation.
This command retrieves a list of Domain Controllers in the specified domain, providing the attacker with critical information on network structure and access points to escalate privileges or move laterally.
|
nltest.exe /dclist: |
The group uses the systeminfo command to gather detailed configuration information about a compromised system, helping the attacker understand the system environment and identify potential weaknesses.
This command displays comprehensive system details, including OS version, hardware configurations, and installed updates, providing the attacker with valuable insights into the target system for further exploitation or lateral movement.
|
systeminfo.exe |
Ryuk ransomware uses WMIC (Windows Management Instrumentation Command-line) to gather information about installed antivirus programs, helping the attacker identify security defenses and potentially disable or evade detection.
|
powershell.exe -c "Get-WmiObject -Namespace 'root\SecurityCenter2' -Class AntiVirusProduct -ErrorAction Stop" |
This command queries the WMI to retrieve information about installed antivirus products, providing insights into the security software running on the target system, which can then be used to assess defenses and plan further actions.
Ryuk ransomware utilizes the Rubeus post-exploitation tool to carry out a Kerberoasting attack. This technique involves requesting service tickets for service accounts and then attempting to crack those tickets offline to obtain service account credentials.
|
# Process |
This command invokes the Rubeus tool to request service tickets for service accounts in the domain, which are then subjected to offline cracking attempts to extract plaintext credentials.
|
# Rewind Process |
With this command, we perform a cleanup step that deletes the Rubeus tool from the temporary directory, simulating the attacker’s efforts to erase traces and evade detection after executing the Kerberoasting attack.
Ryuk ransomware uses the PowerLine tool to perform privilege escalation by running the PowerView function Invoke-CheckLocalAdminAccess, which checks for local administrative access on a target system.
The following command runs the PowerLine.exe tool located in the temporary directory and invokes PowerView to assess if the current user has local administrative privileges on the system.
|
#Process 1 |
After the privilege escalation check, the rewind command deletes the PowerLine.exe tool from the temporary directory, simulating the attacker’s efforts to erase traces and evade detection.
Ryuk ransomware evades detection by manipulating the PowerShell execution policy and using PowerShell scripts for post-exploitation actions, such as checking for local administrator access.
|
# Process 1 |
The first payload checks the current PowerShell execution policy and sets it to Unrestricted, enabling the execution of scripts like PowerView to bypass script execution restrictions.
The second payload unblocks and loads the DDF.ps1 script, enabling the execution of PowerView functions such as Invoke-CheckLocalAdminAccess, which checks for local administrator privileges.
|
# Rewind Process 1 to unblock and import the EDF.ps1 script |
Ryuk ransomware disables backup services to hinder recovery efforts and increase the likelihood of successful ransom demands. This is achieved using a batch script to stop backup services on the infected system.
|
# Process 1 |
This command executes the stop_backup.bat script located in the temporary directory, which simulates Ryuk disabling backup services, preventing the system from creating backups and complicating recovery.
|
# Rewind Process |
After executing the command to disable backups, this cleanup step deletes the stop_backup.bat script from the temporary directory, simulating the attacker’s effort to cover their tracks and evade detection.
Ryuk ransomware uses encryption to render files inaccessible, often as part of its tactic to cause significant disruption and pressure victims into paying the ransom.
The following command simulates the encryptor.exe tool encrypting the encfile.txt using AES encryption, rendering the file inaccessible to the victim.
|
# Process 1 |
Next, Rewind Process 1 deletes the encryptor.exe tool used for encryption from the temporary directory, simulating the attacker's attempt to erase evidence of their activities.
And after the encryption, Rewind Process 2 command deletes the encfile.txt file, simulating the final step of data destruction or making it harder for the victim to recover the encrypted file.
|
# Rewind Process 1 |
Picus simulates these actions to test if security tools can detect and mitigate data encryption activities used for impact, helping organizations strengthen defenses against ransomware attacks.
The Picus Security Validation Platform safely simulates Ryuk Ransomware’s techniques using its continuously updated Threat Library, identifying blind spots across EDRs, NGFWs, and SIEMs before attackers can exploit them.
You can also test your defenses against hundreds of other ransomware variants, such as Medusa, Rhysida, and Black Basta, within minutes with a 14-day free trial of the Picus Platform.
|
Threat ID |
Threat Name |
Attack Module |
|
35849 |
Trickbot Dropping Cobalt Strike Campaign |
Windows Endpoint |
|
28380 |
Ryuk Ransomware Campaign |
Windows Endpoint |
|
62932 |
Trickbot Malware Campaign |
Windows Endpoint |
|
72707 |
Trickbot Targeting HPH Sector Campaign |
Windows Endpoint |
|
56556 |
SystemBC RAT Email Threat |
Email Infiltration |
|
39619 |
Ryuk Ransomware Email Threat |
Email Infiltration |
|
31789 |
SystemBC RAT Download Threat |
Network Infiltration |
|
55678 |
Ryuk Ransomware Download Threat |
Network Infiltration |