{
	"id": "3587bd2b-c659-4a36-bb6c-ab09a4cea64f",
	"created_at": "2026-04-06T00:06:17.20853Z",
	"updated_at": "2026-04-10T03:22:06.826557Z",
	"deleted_at": null,
	"sha1_hash": "11bafc08783739895780e1cff70a1539b2ee6671",
	"title": "From Infection to Encryption: Tracing the Impact of RYUK Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5030888,
	"plain_text": "From Infection to Encryption: Tracing the Impact of RYUK\r\nRansomware\r\nBy Shayan Ahmed Khan\r\nPublished: 2024-04-20 · Archived: 2026-04-05 13:48:28 UTC\r\nRyuk ransomware is a very famous and deadly piece of malware that was first discovered in mid 2018 and has\r\nbeen active since. There are multiple variants of Ryuk that keeps surfacing again on different platforms and\r\nsandboxes. Ryuk focuses on targeting critical organizations like healthcare and finance.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 1 of 23\n\nRyuk name likely originates from Popular anime show “Death Note”\r\nOverview\r\nRyuk ransomware uses multi-threaded fast encryption which also injects itself into many different processes and\r\ncreate persistence to be automatically executed on every start-up. All these things combined makes RYUK\r\nransomware very dangerous.\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 2 of 23\n\nThe initial dropper extracts Ryuk ransomware and executes it by giving path of itself as parameter. Ryuk\r\nransomware takes the parameter and first deletes the dropper then moves on to create persistence by adding itself\r\nin Run Registry Keys. The next step is to inject itself in all available processes with the exception of only a few.\r\nFinally, it uses a multi-threaded encryptor that uses the combination of AES and RSA encryption algorithms to\r\nachieve a very fast encryption and leaves a ransom note in every directory.\r\nCheck out my Github Repo for Malware Analysis Series!!!\r\nInitial Detonation:\r\nThe initial detonation shows that the dropper extracted stage2 malware which in turn add some changes in the\r\nregistries as shown by the process tree in screenshot below:\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 3 of 23\n\nAfter some time from the initial detonation, I received multiple UAC prompt to allow the cmd admin privileges\r\nbecause I did not execute the initial dropper with admin privileges. From the process tree and UAC prompt\r\nrequests I found the path on which the stage2 RYUK ransomware and another malicious bat file were extracted by\r\nmalware.\r\nThere were some files created in the “Users\\Public” folder which had hidden attributes.\r\nStage1: Dropper\r\nFrom the static analysis of dropper, I have found so many suspicious strings which were actually a part of its\r\nsecond stage payload, therefore I will not list those strings here, instead I will write all the steps that stage1\r\ndropper performs in its execution.\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 4 of 23\n\nChecks Windows Version: and decides the path for extracting stage2 malware\r\nSelects a 5-letter random word: and appends .exe at its end\r\nCreate File: using CreateFileW on selected path with the 5-letter name\r\nCheck Architecture: to extract stage2 malware from data section\r\nExecute Stage2: with ShellExecuteW:\r\nStage2: RYUK Ransomware\r\nThe first thing I always look for in a malware are the strings in simple static analysis. If I find any interesting\r\nstrings then I base my advanced static and dynamic analysis based on those suspicious strings. Some of the\r\ninteresting strings that I found are provided below:\r\nStatic Strings:\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 5 of 23\n\nPersistence:\r\nThe first thing that RYUK ransomware checks is weather a parameter has been passed to it while execution. The\r\nparameter is actually the path of Ryuk dropper and it deletes the dropper to avoid suspicion.\r\nNext step is to add persistence, Ryuk Ransomware adds persistence by abusing the famous Run Registry Keys\r\nwhich executes the payload on each startup or boot. It appends the path of itself and pass the command to be\r\nexecuted via cmd.\r\n“C:\\Windows\\System32\\cmd.exe” /C REG ADD\r\n“HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” /v “svchos” /t\r\nREG_SZ /d “C:\\users\\Public\\yxrNV.exe” /f\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 6 of 23\n\nAbove listed command is executed to achieve persistence. At every startup the stage2 malware would be executed\r\nfrom the public folder.\r\nThe saves the name of registry as “svchos” for the persistence in the system over Run keys as could be seen in the\r\nscreenshot below:\r\nPrivilege Escalation:\r\nRyuk ransomware relies on social engineering techniques to be executed with admin privileges from the start, and\r\nthen it performs token manipulation to allow itself to achieve higher privileges specifically uses\r\n“SeDebugPrivilege” to be able to inject into higher privileged processes as well.\r\nIt checks weather the executed process has “SeDebugPrivilege” or not by using “LookupPrivilegeValueW” and\r\nthen it tries to adjust the current token to have the required privileges as shown in the code snippet below:\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 7 of 23\n\nProcess Enumeration:\r\nRyuk Ransomware enumerates all running processes to checks their integrity level, their PID and other useful\r\ninformation and saves everything in an array. It uses famous process enumeration APIs that are listed below:\r\nCreateToolhelp32Snapshot\r\nProcess32FirstW\r\nProcess32NextW\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 8 of 23\n\nProcess Injection:\r\nRyuk ransomware injects itself in all the processes that it enumerated with the exception of only a few that\r\ndoesn’t stop the system performance like:\r\nlsass.exe\r\nexplorer.exe\r\ncsrss.exe\r\nIt uses basic process injection APIs like:\r\n1. VirtualAllocEx\r\n2. WriteProcessMemory\r\n3. CreateRemoteThread\r\nThe process injection makes it extremely fast because there are multiple instances of Ryuk Ransomware running\r\nin every process that it has injected. In the screenshot below, we can see that in “sihost”, the ransomware has been\r\ninjected by creating a READ, WRITE and EXECUTE (RWX) memory region that contains a binary identified by\r\nthe starting bytes of 4D 5A (MZ).\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 9 of 23\n\nI have dumped this shellcode to a bin file and started analyzing it separately. Since this shellcode has been dumped\r\nfrom memory therefore it doesn’t execute simply by clicking the binary. All of its addresses are messed up.\r\nTo recover this exe, I have used pe_unmapper which useful in recovering executables dumped from the memory.\r\nA tool by hasherzade.\r\nI have dumped the shellcode and unmapped it from memory using pe_unmapper and loaded it again in IDA. It\r\nwas the same RYUK ransomware that I am analyzing. As could be seen in the PDB info or IDA. Ryuk\r\nransomware injects a copy of itself in all these processes.\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 10 of 23\n\nTo continue with my analysis, I have to skip over this process injection phase to actually reach the encryptor. So, I\r\ndid the easiest thing, that is patched the binary and skipped the call to process injection function.\r\nGet Shayan Ahmed Khan’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nI found the call to process injection function and its HEX in the binary. One cool thing about IDA is that it\r\nprovides live mapping of assembly to HEX code and on both windows side by side I can see which HEX is calling\r\nthe function of process injection and I can simply patch those bytes to no operation bytes.\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 11 of 23\n\nIn above example, we can see E8 20 06 00 00 are the bytes responsible for calling Process Injection sub-routine.\r\nI can change these bytes to 90 90 90 90 90 90 which are NOP instructions. Whenever, the Ryuk ransomware\r\nenumerated process and tries to inject itself, it would now simply skip the process injection step and move on to\r\nfurther activities, like encryption.\r\nEncryption:\r\nThe encryption routine starts with importing all the required APIs at run-time because encryptor is highly\r\nobfuscated. They are not used or imported directly in the malware. Instead of static analysis, the dynamic analysis\r\nreveals all the APIs used by malware easily. As shown in the screenshot below:\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 12 of 23\n\nFinding these APIs by debugging one by one is very tedious. So, I just executed the patched malware (without\r\ninjection code) in the tiny_tracer tool by hasherzade. It automatically detects and logs all the APIs being used in\r\nthe malware as shown in the screenshot below:\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 13 of 23\n\nMost of the interesting APIs that are being used by malware and imported at run-time are provided in below:\r\nCryptExportKey\r\nDeleteFileW\r\nGetDriveTypeW\r\nGetCommandLineW\r\nGetStartupInfoW\r\nFindNextFileW\r\nVirtualAlloc\r\nGetUserNameA\r\nExitProcess\r\nCreateProcessA\r\nGetIpNetTable\r\nReadFile\r\nRegQueryValueExA\r\nRegSetValueExW\r\nCopyFileA\r\nSetFileAttributesW\r\nWinExec\r\nCryptDeriveKey\r\nCryptGenKey\r\nSleep\r\nGetCurrentProcess\r\nShellExecuteW\r\nGetFileSize\r\nGetModuleFileNameA\r\nCreateFileA\r\nGetFileSizeEx\r\nWriteFile\r\nGetLogicalDrives\r\nWNetEnumResourceW\r\nRegOpenKeyExW\r\nWNetCloseEnum\r\nGetWindowsDirectoryW\r\nGetTickCount\r\nFindFirstFileW\r\nCryptAcquireContextW\r\nMoveFileExW\r\nCryptDecrypt\r\nCryptImportKey\r\nCreateProcessW\r\nCreateThread\r\nCryptDestroyKey\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 14 of 23\n\nCoCreateInstance\r\nCryptEncrypt\r\nRegDeleteValueW\r\nThe encryptor uses AES-256 for encrypting all files as could be seen by the parameter provided to the\r\nCryptAcquireContextW API with the following arguments: AES_unique \u0026 Microsoft Enhanced RSA and AES\r\nCryptographic Provider.\r\nRYUK Encryptor does the following steps:\r\nAcquire Context of AES\r\nUse the combination of FindFirstFileW and FindNextFileW to enumerate files\r\nWrites Ransom Notes in every directory that it enumerates\r\nStarts a new thread on each file for encryption\r\nGenerates a new random key for every file and encrypts it with that key, then it adds HERMES and\r\nthe meta at the end of the file. The meta is actually the encrypted AES key with the attacker’s public\r\nkey embedded in the malware.\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 15 of 23\n\nThe encryption routine starts by first checking if the input file had the keyword HERMES appended\r\nat the end along with the meta. If the keyword is present then it avoids encrypting the file twice and\r\nskips the encryption part as shown in the screenshot below:\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 16 of 23\n\nRYUK ransomware uses the same encryptor as HERMES ransomware, as could be seen in the provided code\r\nsnippets. The delivery, persistence and continuous injection is different but encryptor function is of HERMES\r\nransomware.\r\nNetwork Enumeration:\r\nRyuk ransomware tries to look for any network shares that are available and pass the path of those shares to its\r\nencryptor function. It uses WNetOpenEnumW API for network share enumeration as could be seen in the logs\r\nby tiny_tracer.\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 17 of 23\n\nDelete Backups:\r\nRyuk ransomware removes shadow copies and recovery options from the system by creating a bat file and running\r\nit as admin. If the malware is executed without admin privileges, then it will prompt user for admin privileges.\r\nThe script deletes all shadow copies from the system and finally deletes itself as well. The extracted script for\r\ndeleting shadow copies is provided below:\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 18 of 23\n\nService Stop:\r\nAnother interesting thing that I found in RYUK ransomware is that it had many embedded strings that highlights\r\nthat it stops certain services and kills many processes. The exact behavior has not been detected in the sample that\r\nI analyzed but this is also one of the TTP to look out for. The list of services and processes that it kills are\r\nprovided below:\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 19 of 23\n\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 20 of 23\n\nThese are only a few of services and processes listed here above.\r\nYARA Rule:\r\nrule Ryuk_Ransomware_Dropper {\r\n meta:\r\n description = \"Ryuk Ransomware dropper hunting rule\"\r\n author = \"Shayan Ahmed Khan - shaddy43\"\r\n date = \"22-11-2023\"\r\n rule_version = \"v1\"\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 21 of 23\n\nmalware_type = \"ransomware\"\r\n malware_family = \"\"\r\n actor_group = \"\"\r\n reference = \"\"\r\n hash = \"23F8AA94FFB3C08A62735FE7FEE5799880A8F322CE1D55EC49A13A3F85312DB2\"\r\n strings:\r\n $s1 = \"\\\\Documents and Settings\\\\Default User\" wide\r\n $s2 = \"\\\\users\\\\Public\\\\\" wide\r\n $s3 = \"C:\\\\Users\\\\Admin\\\\Documents\\\\Visual Studio 2015\\\\Projects From Ryuk\\\\ConsoleApplication5\r\n $s4 = \"vssadmin Delete Shadows /all /quiet\" ascii\r\n $s5 = \"vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB\" ascii\r\n $s6 = \"del /s /f /q c:\\\\*.VHD c:\\\\*.bac c:\\\\*.bak c:\\\\*.wbcat c:\\\\*.bkf c:\\\\Backup*.* c:\\\\backu\r\n $s7 = \"stop Antivirus /y\" fullword ascii\r\n $s8 = \"/IM excel.exe /F\" fullword ascii\r\n condition:\r\n ( uint16(0) == 0x5a4d and\r\n filesize \u003c 400KB and\r\n ( 2 of ($s*) and\r\n 4 of them ) ) or\r\n ( all of them )\r\n}\r\n rule Ryuk_Ransomware {\r\n meta:\r\n description = \"Ryuk Ransomware hunting rule\"\r\n author = \"Shayan Ahmed Khan - shaddy43\"\r\n date = \"22-11-2023\"\r\n rule_version = \"v1\"\r\n malware_type = \"ransomware\"\r\n malware_family = \"\"\r\n actor_group = \"\"\r\n reference = \"\"\r\n hash = \"8B0A5FB13309623C3518473551CB1F55D38D8450129D4A3C16B476F7B2867D7D\"\r\n strings:\r\n $s1 = \"C:\\\\Users\\\\Admin\\\\Documents\\\\Visual Studio 2015\\\\Projects From Ryuk\\\\ConsoleApplicatio\r\n $s2 = \"AdjustTokenPrivileges\" fullword ascii\r\n $s3 = \"vssadmin Delete Shadows /all /quiet\" ascii\r\n $s4 = \"vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB\" ascii\r\n $s5 = \"del /s /f /q c:\\\\*.VHD c:\\\\*.bac c:\\\\*.bak c:\\\\*.wbcat c:\\\\*.bkf c:\\\\Backup*.* c:\\\\bac\r\n $s6 = \"stop Antivirus /y\" fullword ascii\r\n $s7 = \"/IM excel.exe /F\" fullword ascii\r\n $s8 = \"System32\\\\cmd.exe\" wide\r\n $s9 = \"/C REG ADD \\\"HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\"\" w\r\n $s10 = \"SeDebugPrivilege\" fullword wide\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 22 of 23\n\n$s11 = \"\\\\Documents and Settings\\\\Default User\\\\finish\" wide\r\n $s12 = \"\\\\users\\\\Public\\\\finish\" wide\r\n $s13 = \"csrss.exe\" fullword wide\r\n $s14 = \"explorer.exe\" fullword wide\r\n $s15 = \"lsass.exe\" fullword wide\r\n $s16 = \"\\\\Documents and Settings\\\\Default User\\\\sys\" wide\r\n $s17 = \"\\\\users\\\\Public\\\\sys\" wide\r\n $s18 = \"UNIQUE_ID_DO_NOT_REMOVE\" wide\r\n $s19 = \"\\\\users\\\\Public\\\\window.bat\" wide\r\n $s20 = \"HERMES\" wide\r\n condition:\r\n ( uint16(0) == 0x5a4d and\r\n filesize \u003c 200KB and\r\n ( 1 of ($s*) and\r\n 8 of them ) ) or\r\n ( all of them )\r\n}\r\nSource: https://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nhttps://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@shaddy43/from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c"
	],
	"report_names": [
		"from-infection-to-encryption-tracing-the-impact-of-ryuk-ransomware-64bd8656781c"
	],
	"threat_actors": [],
	"ts_created_at": 1775433977,
	"ts_updated_at": 1775791326,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/11bafc08783739895780e1cff70a1539b2ee6671.pdf",
		"text": "https://archive.orkl.eu/11bafc08783739895780e1cff70a1539b2ee6671.txt",
		"img": "https://archive.orkl.eu/11bafc08783739895780e1cff70a1539b2ee6671.jpg"
	}
}