2020 most feared ransomware: a high-level analysis of Ryuk’s kill chain

2020 most feared ransomware: a high-level analysis of Ryuk’s kill chain

The old yet new ransomware kid on the block.

Ransomware is still a booming threat to small and middle-sized enterprises. In essence, a ransomware is a form of advanced malware that will encrypt the drives of a system and ask for “ransom” to get the decryption key and restore functionality to the system. Once the ransom has been paid, you can only hope the attackers supply you with the decryption key to retrieve access to the encrypted systems. Keep in mind that the systems can be reset, and the actual server is not broken, but it is the data on the server that is locked away. The estimated cost of ransomware in 2020 is well over $20 billion dollars, compared to $11.5 billion and $8 billion for 2019 and 2018 respectively.

What is the Ryuk ransomware?

Ryuk is a ransomware that has been around since 2018, but has been evolving ever since in many other variants and flavors. These new variants were recently used in several attacks, notably targeted at the already weakened healthcare industry. Taking advantage of the increasing vulnerability of organisations worldwide due to the COVID-19 pandemic and the surge of remote work, Ryuk attacks have skyrocketed. Through Q3 2019, SonicWall detected just 5,123 Ryuk attacks. Through Q3 2020, they detected 67.3 million Ryuk attacks, accounting for a third of all ransomware attacks this year.

For all variants and “strains” of Ryuk, the main idea is the same and the focus lies on spreading to systems and locking them up.

One of the companies recently hit by Ryuk is a French IT Services Company. While they managed to react fast and efficiently to the threat, their systems still had weeks of significant downtime. In this article we will take a high-level overview into how Ryuk works and how organizations can protect themselves, before, during and after infection.

Before Ryuk is able to lock data away, it needs an entry point into the system. Let us take a closer look on how a typical Ryuk kill chain looks like.

Ruyk's kill chain from ransomware
Ruyk ransonware high level analysis


During this stage, an attacker will gain entry to the company infrastructure in one or multiple ways. Most common and recurring examples of attacks or techniques which can lead to this include:

These techniques are used to install malware onto any workstation or server in the environment. This malware is often called a “dropper” because it enables the attacker to deploy more advanced tools and malware.


After the dropper has been installed on the targeted internal system, the next phase of the Ryuk’s attack starts. The dropper will contact the “Command and Control” server to download additional malware that would enable more droppers to be spread on critical devices such as domain controllers and data storages. Usually an attacker will use a compromised server from a third party or an unpatched and vulnerable internal network device to host the actual Ryuk and deploy it to the dropper.


After Ryuk has been dropped on the target, it will automatically activate after an undetermined period of time. Note that the deployment phase does not end, and the original infection will try to keep spreading droppers throughout the network. Once Ryuk activates, the data will be left encrypted and unrecoverable without the decryption key. This is the part where victims receive lines of text explaining how to buy cryptocurrency and transfer it to the attacker in exchange for the key. Depending on the timeframe when the original infection took place, the entire chain could easily happen overnight. For larger enterprises it will usually happen over the span of several days. Given that there is a higher number of critical targets, bigger organisations will get more time to react and defend themselves, assuming adequate detection and monitoring are in place.

Conclusion and take-aways

All this may sound awfully similar to the big Wannacry ransomware that took a big part of the world by surprise. While the name changed to Ryuk and more advanced code and techniques were used in the recent Ryuk attacks, the underlying problem still makes these attacks very viable and lucrative for malicious actors. It is hard to keep up with the different families and versions of ransomware kits that are being sold to individuals who can barely code, but are still very much able to launch them at smaller organizations. There are a few best practices that can really help make the difference:

I hope this article has, to some extent, raised awareness about the dangers of ransomwares and how to prevent them from happening. Do not let ransomwares attacks take you by surprise. If you are in doubt of the protections in place in your company, feel free to reach out to us to discuss with our cybersecurity specialists and consult our cybersecurity offerings.