{ "id": "1444664c-4276-45ec-a03d-3ce46de9829a", "created_at": "2026-04-06T00:11:43.103687Z", "updated_at": "2026-04-10T13:11:48.866329Z", "deleted_at": null, "sha1_hash": "f765ff20613eb4759204601853b3eea4544bd205", "title": "REvil, Ryuk and Tycoon Ransomware: How They Work and How to Defend Against Them", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 61274, "plain_text": "REvil, Ryuk and Tycoon Ransomware: How They Work and How\r\nto Defend Against Them\r\nArchived: 2026-04-05 13:09:56 UTC\r\nIt is the Tuesday morning after a long weekend. You come into work early to get caught up on emails only to find\r\nyou are completely locked out. You have been hit by a ransomware attack. You ask yourself, “What happened?\r\nAnd how do I fix it?”\r\nThis post will explore three of the most significant ransomware families of 2020: Tycoon, Ryuk and REvil. After\r\ndiscussing how these strains work, we’ll share some best practices that organizations can use to defend themselves\r\nagainst a ransomware infection.\r\nTycoon is compiled in the Java image format, ImageJ, and is deployed using a trojanized version of Java Runtime\r\nEnvironment (JRE). This is an odd methodology for ransomware that is not often seen. The Tycoon ransomware\r\noften uses an insecure connection to an RDP server as its way into the network. Once inside the network, it will\r\ndisable anti-malware software so that it can remain undetected on the system until the attack is finished.\r\nThis crypto-malware strain has been around since December of 2019. Tycoon’s code is written to be used against\r\nboth Windows and Linux systems and is used to target small- and medium-sized businesses (SMBs), primarily in\r\nthe software and education industries. It is believed that Tycoon may be linked to Dharma (Crysis) due to\r\nsimilarities in the naming conventions and email addresses used.\r\nAccording to TechRadar, Tycoon has a very limited number of victims due to its specified targets. In early\r\nversions of the Tycoon ransomware, some victims were able to recover their encrypted data with the use of an\r\nRSA key bought from other victims because the ransomware repeated the use of some keys. However, this is not\r\nthe case with more recent versions.\r\nRyuk\r\nRyuk works in two parts. The first is a dropper that places Ryuk malware onto a system. The second is an\r\nexecutable payload that carries out the encryption. Part of the executable payload’s code is to delete the dropper\r\nfrom the system so that it cannot be retrieved and analyzed.\r\nUnlike most other ransomware, Ryuk doesn’t have an extensive allow list to prevent it from encrypting system\r\nfiles that ensure the running stability of the systems. Ryuk only allows files with the exe, dll, and hrmlog\r\nextensions as well as a few folders such as Windows, Microsoft, and Chrome. The issue with this is that files that\r\nhave the sys extension are not allowed, and if these files are encrypted, it could cause the system to become\r\nunstable and potentially crash.\r\nThe Ryuk ransomware has been around since August of 2018 and is operated by a Russian eCrime group who call\r\nthemselves Wizard Spider. Wizard Spider’s sole targets for Ryuk have been large organizations that are capable of\r\npaying high ransom fees. This has made Ryuk one of the most profitable ransomware to date as according to\r\nhttps://www.tripwire.com/state-of-security/security-data-protection/cyber-security/revil-ryuk-tycoon-ransomware/\r\nPage 1 of 3\n\nZDNet, with the average ransom demand for Ryuk estimated at around $290,000. Ryuk ransomware is not an\r\noriginally coded ransomware; instead, it is derived from the Hermes ransomware.\r\nREvil\r\nREvil, named after the Resident Evil franchise, is also known as Sodinokibi and is a Ransomware-as-a-Service\r\n(RaaS). It is distributed using several different methods including malicious spam emails, exploit kits and RDP\r\nvulnerabilities. This malware also adds a twist in its ransom note in that it tells the victim that if the ransom is not\r\npaid by the specified time, the demand will be doubled. The REvil gang even offers a “trial” decryption to prove\r\nto the victim that their files can be decrypted.\r\nREvil was first identified in April of 2019 and is considered to be one of the most widespread ransomware\r\nfamilies in 2020. Like many other crypto-malware families, REvil exfiltrates data and threatens to release it if the\r\nvictim doesn’t pay the ransom in time.\r\nA member of the group behind REvil, who goes by the name “Unknown,” has said that REvil is built upon an\r\nolder codebase, most likely GandCrab. REvil is very configurable, allowing each user to modify the code to their\r\nend goal. According to Secureworks, malicious actors can use the ransomware to exploit CVE-2018-8453 to\r\nelevate privileges and exfiltrate host information.\r\nPreventing a Ransomware Attack\r\nFor anyone looking to keep their network secure, you need to make sure that they KNOW their network. Knowing\r\nthe network means that you have an inventory of every connected device and system as well as how the traffic\r\nflows between them. On top of that, the network needs to be constantly monitored, which can be made easier by\r\nutilizing Security Information and Event Management (SIEM) tools. Monitoring the network allows abnormalities\r\nto be discovered much more quickly, and it saves precious time during an incident to react and remediate the\r\nsituation. It is also a strong recommendation to make traversing the network difficult for attackers in order to\r\nprevent the spread of any malware that may have found its way into your network.\r\nOrganizations also need to consider vulnerability management. Patches and updates to software and devices are\r\ncreated to fix any vulnerabilities that were discovered in those software and devices. One of the first things\r\nattackers look for is vulnerable systems, so if updates are neglected, it provides the attackers with an avenue to use\r\nthose known vulnerabilities to gain access to your systems and carry out their malicious deeds.\r\nYou need to accept at some point that malware will find a way into the network or systems. It is not a matter of if\r\nbut when. Keeping this fact in mind, it is important to create a response plan for when malware is found in the\r\nsystem or network so that when it happens, the response can be quick and efficient to limit the exposure and\r\ndamage. Along with having a response plan, it is important to test the plan periodically so that all staff know what\r\nto do during an incident and to identify any updates to the plan that may be needed. Part of this plan should be to\r\nhave up-to-date backups of the system and data so that in the case of a ransomware attack, there is little to no data\r\nloss, as it can be restored from the backups.\r\nOrganizations can’t stop there. They also need to remember the importance of managing their secure\r\nconfigurations, blocking phishing attacks and other email-based operations as well as controlling the use of\r\nhttps://www.tripwire.com/state-of-security/security-data-protection/cyber-security/revil-ryuk-tycoon-ransomware/\r\nPage 2 of 3\n\nadministrative privileges. Click here to learn more.\r\nAbout the Author: Brett McFadden is a new entrant to the world of cyber security. With advanced diplomas in\r\nboth Cyber Security (Fanshawe College) and Mohawk College (Television Broadcasting), he brings a unique\r\ninsight to a world where streaming accounts for one fifth of all television viewing. Brett is currently a Cyber\r\nSecurity Analyst with Western University in London, Ontario and worked previously as a Cyber Security Analyst\r\nwith Linamar corporation and as a Business System Analyst with TD Bank’s Cloud Security and Data Protection\r\nteam. Brett has spent time running internal mock phishing campaigns and ensuring that cloud migrations were\r\ncompliant with industry standards. In his free time, Brett is an avid Twitch streamer and works toward his career\r\ngoal of red teaming for either a large corporation or a penetration testing company.\r\nEditor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not\r\nnecessarily reflect those of Tripwire, Inc.\r\nSource: https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/revil-ryuk-tycoon-ransomware/\r\nhttps://www.tripwire.com/state-of-security/security-data-protection/cyber-security/revil-ryuk-tycoon-ransomware/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/revil-ryuk-tycoon-ransomware/" ], "report_names": [ "revil-ryuk-tycoon-ransomware" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434303, "ts_updated_at": 1775826708, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f765ff20613eb4759204601853b3eea4544bd205.pdf", "text": "https://archive.orkl.eu/f765ff20613eb4759204601853b3eea4544bd205.txt", "img": "https://archive.orkl.eu/f765ff20613eb4759204601853b3eea4544bd205.jpg" } }