- Ransomware Family
This ransomware is distributed via spam emails or exploit kits.
When a device is infected, this ransomware will search for and encrypt certain files type, which are usually document and media files. When the encryption is complete, the ransomware will display a ransom message on your screen, or by adding a text file (message) to the affected folders.
- Ransomware Note
Your network has been penetrated.
All files on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation
More than a year ago, world experts recognized the impossibility of deciphering by any means except the oridinal decoder.
No decryption software is available in the public.
Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data.
DO NOT RESET OR SHUTDOWN – files may be damaged.
DO NOT DELETE readme files.
To confirm our honest intentions.Send 2 different random files and you will get it decrypted.
It can be from different computers on your network to be sure that one key decrypts everything.
2 files we unlock for free.
To get info (decrypt your files) contact us at
No system is safe
- Ransomware Extension
.RYK or .rcrypted
- Requested Ransom
Payments ranging between 15-35 BTC
- Ransomware Decryption Tool
The dropper of Ryuk is simple and fairly straightforward. It contains 32 and 64 bit modules of the ransomware, embedded one after the other in the dropper’s binary. At the beginning of its execution, the dropper generates a 5-lettered random file name using the srand function and GetTickCount for seed generation. The aforementioned payload files are then written to a directory, depending on the version of Windows on victim’s computer. If the version is Windows XP or Windows 2000, the file is created in the directory “\Documents and Settings\Default User\”, otherwise it is created in “\users\Public\”. If the file creation fails, the dropper attempts to write it in its own directory, using its own name and appending the letter ‘V’ as the last character.
After creating the file, the dropper then checks whether the process is run under Wow64, and writes the suitable payload (32 or 64 bit) depending on the result of the check. Finally, before terminating, the dropper calls ShellExecuteW to execute the Ryuk ransomware payload it has just written.
Upon execution, the Ryuk ransomware conducts a Sleep of several seconds and then checks whether it was executed with an argument. If such was passed, it will use it as a path to a file that is deleted using DeleteFileW. Based on the malware’s dropper code, this argument would be the path to the dropper itself. Following this, the ransomware will kill more than 40 processes and stop more than 180 services by executing taskkill and net stopon a list of predefined service and process names. These services and processes are mostly belonging to antivirus, database, backup and document editing software.
To make sure the malware is executed after reboot, Ryuk uses a straight forward persistence technique, whereby it writes itself to the Run registry key using the following command:
‘reg add /C REG ADD “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “svchos” /t REG_SZ /d’
It will then try to elevate to SeDebugPrivilege so as to have extended capabilities in subsequent actions and prepare for injection by forming an array of structures. Each entry in the array represents a running process in the system and contains the process’ name, PID, and a number which represents the account type of its owner (as outlined in the figure below). After putting the aforementioned process list together, Ryuk will iterate over it and try to inject a code to each process’s address space, as long as its name is not “explorer.exe”, “csrss.exe” or “lsaas.exe”, or is not run by NT AUTHORITY.
Ryuk uses a rather basic injection technique, whereby it first gets a handle on the target process using OpenProcess and allocates a buffer in its address space using VirtualAllocEx. The allocated buffer would have the size of the malware’s image and would be required to be positioned at the same base address.
The malware will then write its current virtual image content into it and create a thread that will carry out some actions, as described in the next section. Note that by writing the virtual image into a requested buffer with a predefined allocation base, and with the lack of a proper code relocation procedure, Ryuk is taking the risk that the requested address is not available for allocation, thus causing a potential failure in the execution of the injected code.
In addition to local drives, Ryuk will also try to encrypt network resources. First, it will start their enumeration by calling WNetOpenEnum, and then allocate a zero-initialized buffer. This buffer will be filled throughout a call to the WNetEnumResource function. If the enumerated resource is a container for other resources, the ransomware will call its network resources enumeration function recursively. For each network resource found by Ryuk, the resource’s name will be appended and separated with a semicolon to a list that will later be used to encrypt these network resources.
Finally, Ryuk will destroy its encryption key and execute a .BAT file that will delete shadow copies and various backup files from the disk.
Ryuk Ransomware hashes (MD5):