Since October 2018, a number of high-value companies, banks, and organizations have been hit by a severe ransomware infection. The Ryuk ransomware attacked these businesses by encrypting their data and displaying a note demanding that the victim pay a ransom fee.
The ransom amount varies among the victims attacked, and so far, the cybercriminals are said to have netted a total of $4 million. The group behind Ryuk is said to be North Korea’s Lazarus, which is the group that has tweaked the Hermes ransomware to fit their preferences.
Security experts are advising against honoring the ransom demands because this will make ransomware attacks thrive.
What are Ryuk Ransomware Attacks?
The Ryuk ransomware carefully targets its victims and silently infiltrates the systems of major companies. The program blocks users from accessing any files or data and will only release the decryption key once you meet their demands. The ransomware encrypts not only local files but also network drives.
The Ryuk virus is not an ordinary malware infection. First of all, it uses the RSA-4096 and AES-256 ciphers to run data encryption, which makes it almost impossible to decrypt the data. Therefore, corporations are forced to make the payments in cryptocurrency to get their data back.
Additionally, the Ryuk ransomware has the ability to stop 184 commands, which allows the attackers to block predetermined active processes and run applications without permission. Moreover, the program does not append its extension to the encrypted files. Instead, it places the text file RyukReadMe.txt in every existing folder.
How Does Ryuk Ransomware Act?
Ryuk Ransomware uses a persistence technique to write itself to the Run registry key. To infect your computer, attackers use Trojans, peer-to-peer networks, spam emails, and fake software updates.
The ransomware infection spreads to your computer the moment you open an attachment on an infected email. Likewise, users might be tricked into thinking that particular software is genuine. When you download and install the software, your computer becomes infected by the malware.
When the infection hits the victim’s system, it encrypts all the data and files and even locks the desktop screen from active use. When the encryption completes successfully, the virus runs the command: vssadmin Delete Shadows /all /quiet, which deletes the Shadow Volume copies and any other backup files that it finds.
Ryuk also displays two messages. The first one politely advises the affected company to pay a specific ransom sum to receive the decryption keys. The ransom note provides the details of a Bitcoin wallet and an email address for contacting the attackers. The message warns that failure to take action after two weeks will lead to the permanent deletion of your files and keys.
The second message is shorter, with clear warnings of the consequences you risk if you try recovery methods on your PC.
How to Protect My Computer from Ryuk Ransomware
The following tips will help you to keep safe from Ryuk on Windows 10.
Having up-to-date backups makes it easier to restore data in case of a malware attack. While it helps to add an extra hard drive to your computer for backups, you’re still exposing your data to security threats.
The safest option is to use cloud backup platforms since they do not use mapped drives. This makes encrypting data stored in the cloud difficult.
Install an Anti-Malware Tool
Hackers are always looking for vulnerabilities in computer systems to deploy malware infections. By installing a reliable anti-malware tool, you’ll be providing a permanent solution to the menace of ransomware attacks.
The Auslogics Anti-Malware tool is your best guard against cybercrime. Its intuitive behavioral detection helps to instantly sense any signs of malicious applications trying to intrude your system.
The program is powerful enough to stop data encryption from threats such as the Ryuk ransomware. Since most forms of ransomware are designed to penetrate any system through open ‘backdoors’, it may be difficult to detect them until it’s too late. The Auslogics Anti-Malware tool doesn’t leave anything to chance. All the files, folders, browser extensions, cookies, and installed programs are thoroughly scrutinized for possible threats.
Upon detecting virus infections, the tool quickly acts to eliminate them before they cause any damage to your personal information and system at large.
Always Keep Your Programs and System Updated
The majority of ransomware prey on outdated operating systems because they are vulnerable. That’s why you need to install updates as soon as they are released. Microsoft frequently releases security patches for Windows users, hence you need to ensure that your system is updated immediately.
The same goes for programs installed on your PC. The majority of ransomware attacks are spread through scripts known as exploit kits which target common programs such as Adobe Reader and Java.
How to Remove Ryuk Ransomware
If your system is already infected by the Ryuk ransomware, the following tips will help you get rid of it.
Tip 1: Use the Task Manager
- On your keyboard, press the Ctrl + Shift + Esc keys simultaneously.
- Check for suspicious applications that are running. Right-click on each one of them, and select “End Task”.
Tip 2: Uninstall the Offending Programs
- Click “Start” and type control panel. Click on “Control Panel”.
- Select the “Uninstall a program” option under “Programs”.
- Next, search for all the programs you suspect to be responsible. Right-click each program and select “Uninstall”.
Tip 3: Perform System Restore with Command Prompt
- From the “Start” menu, select “Power”.
- Hold down the “Shift” key and choose “Restart”.
- Follow this path: Troubleshoot > Advanced options > Startup Settings.
- Click “Restart”.
- On the next screen that follows, select option 6 to boot Windows in Safe Mode with Command Prompt.
- Sign in to the infected account using your username and password.
- On the Command Prompt window, type in cd restore and press “Enter”.
- Next, type in rstrui.exe, and press “Enter”.
- On the System Restore window that pops up, select “Next” and then choose a restore point prior to the Ryuk attack.
- Click “Next” and then select “Yes”.
- After the System Restore process completes, use the Auslogics Anti-Malware tool to perform a full scan on your computer.
To prevent future attacks, keep your backups up-to-date, ensure your system and other programs are updated and avoid opening web pages and email attachments you cannot verify the origin of.