Under attack? Press the Ransomware Kill Switch.


Why Airgap





Ryuk Ransomware Analysis


In August 2018, the Ryuk ransomware was first discovered. The Russian hacker team GrimSpider, a cybercrime organization that uses Ryuk ransomware to attack significant businesses and organizations, works behind the scenes. The security analyst finds that Ryuk ransomware is primarily used to distribute other malicious software like Emotet or TrickBot Bank Trojans via network attacks. Emotet and TrickBot Bank Trojans are primarily used to extract login data from the victim’s bank website.


Ryuk is a form of crypto-ransomware which uses encryption to restrict access to a program, device, or document until payment of a ransom. Ryuk is often dropped to the system by other malware, most prominently TrickBot, or has access to the system through Remote Desktop Services. Ryuk demands payment through Bitcoin and orders victims to transfer the ransom into a particular Bitcoin wallet.

Anatomy of Attack

Ryuk ransomware is more powerful than its successor. It attacks large corporations and government departments who end up paying huge sums of money. The reality is, without great incentives, the processing of Ryuk attacks is not viable. This requires a high degree of manual processing (direct exploitation, payment requests managed via email, etc.), and attackers would not like to waste too much time if the Return on investment is not significant.

How Does Ryuk Work?

Ryuk ransomware is not really the start but the culmination of an infection cycle. This is ransomware that comes into existence, little by little, and when it hits, it’s devastating.

Step 1

It all begins with phishing emails, accessing a sketchy website, or clicking a random popup. Bots like TrickBot and Emotet provide easy access to the victim’s network. Emotet and TrickBot continue to expand laterally through the network and execute Ryuk ransomware. Essentially, there is a lag between the propagation of bots and the implementation of Ryuk. This delay helps Emotet and Trickbot to access classified information, leaving organizations’ unstable long before Ryuk strikes.

Airgap Defense: Zero Trust Isolation technology by Airgap prevents any lateral scanning attempt. If under Zero Trust, an intruder breaches the perimeter controls, compromises a misconfiguration, or bribes an insider, they will have extremely restricted access to sensitive data, and safety measures would be in place to identify and respond to suspicious data access before it becomes a threat.

Step 2

When Ryuk ransomware is implemented, it tests if the system is adapted to it. Dropped ransomware binary operates on a predetermined algorithm. The dropper recognizes the system and activates a module (32-bit or 64-bit). Depending on the results, the malware versions that suit the system will be dropped and run using ShellExecuteW.

Step 3

If an intruder identifies an appropriate system, two files are added to the subfolder within the directory:

PUBLIC: RSA Public Key


This is where the encryption cycle begins.

Ryuk uses the RSA and AES encryption algorithms using three keys for encryption. A private global RSA key is used by cyber threat actors (CTAs) as the basis for their model. The second RSA key is supplied via the main payload to the system. This RSA key is already encrypted with the private global RSA key issued by the CTA. When the malware is ready for encryption, an AES key will be produced for the files of the victim, and this key will be encrypted with the second RSA key. Ryuk then scans and encrypts every drive and network sharing on the system.

Airgap Defense: Airgap’s Zero Trust Isolation technology blocks any lateral scanning attempt and presents the responses as if none of the members are present on the network.

Step 4

Ryuk infuses its code into various remote processes, and thus the aggressive cleanup begins. It generates a preconfigured list of 40 processes and 180 services that are wiped out using taskkkill and netstop commands. Those include databases, antivirus tools, backups, and other applications.

Step 5

Finally, the ransom note will be produced and put in every folder on the system. The ransom payment is solely reliant on the targeted organization’s size and value.

About Airgap Networks

Airgap helps implement comprehensive Zero Trust in minutes without the need for agents, APIs, or forklift upgrades. The patent pending Zero Trust Isolation platform assures threat propagation protection. Airgap’s solution can be deployed in minutes, not months. Visit airgap.io to learn more or to schedule a demo.


Airgap helps implement comprehensive Zero Trust in minutes without the need for agents, APIs, or forklift upgrades. The patent pending Zero Trust Isolation platform assures threat propagation protection.

2755 Great America Way,
Suite 135, Santa Clara,
CA 95054, USA

Need Help?

Call Us

+1 415 480 8075

Email Us

[email protected]

Follow Us

Twitter | LinkedIn

Join Us

© 2020 Airgap Networks, Inc.
Airgap Networks, Zero Trust Isolation, and Ransomware Kill Switch are or may be registered trademarks of Airgap Networks, Inc. All other marks and names mentioned herein may be trademarks of their respective companies. Airgap Networks has multiple patents pending relating to Zero Trust Isolation technology and the ransomware kill switch.