Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

RYUK Ransomware Information

    • Updated:
    • 27 Sep 2019
    • Product/Version:
    • Apex One 2019
    • Deep Discovery Email Inspector 2.5
    • InterScan Messaging Security Suite 9.1
    • Interscan Web Security Virtual Appliance 6.5
    • OfficeScan XG
    • ScanMail for Exchange 14.0
    • Worry-Free Business Security Advanced 10.0
    • Worry-Free Business Security Standard 10
    • Platform:
    • N/A N/A
Summary

Ryuk is a ransomware which gained notoriety last December 2018 when it disrupted the operations of several major U.S. newspapers. Earlier analysis from Checkpoint in August 2018 noted that Ryuk was being used exclusively for targeted attacks, with its main targets being the critical assets of its victims. A few months before the December attack, the Ryuk attack managed to extort over US$600,000 worth of bitcoins from various large enterprises.

A recent flash update from the FBI revealed that over 100 organizations around the world have been beset by Ryuk attacks since August 2018. The victims come from different industries, with the most common ones being logistics and technology companies, as well as small municipalities. The update also mentioned that identifying Ryuk’s infection vectors is difficult given the ransomware will typically delete all evidence of its dropper as part of its routine. However, given previous incidents, delivery methods for Ryuk can be highly varied — for example, it can be dropped by other malware such as Emotet or Trickbot. Attackers can also take advantage of flaws or weak points in the system to gain access to an organization’s network.

Behavior

  • Bypasses anti-virus products
  • Maintains persistence on the targeted machine
  • Runs as legitimate process by injecting to Windows process
  • Terminates processes
  • Stops services

Capabilities

  • Information Theft
  • File Encryption
  • Disabling usage capability

Infection Routine

RYUK Infection Flow

File Reputation

Detection/Policy/RulesPattern Branch/VersionRelease Date
Ransom.Win32.RYUK.SM (One-to-Many Pattern)ENT OPR 14.797First Release: 2019-02-06
Ransom.Win64.RYUK.SM (One-to-Many Pattern)ENT OPR 14.463First Release: 2018-08-24
Ransom.Win32.RYUK.SMTH (One-to-Many Pattern)ENT OPR 14.871First Release: 2019-03-14
Ransom.Win32.RYUK.SMTH1 (One-to-Many Pattern)ENT OPR 15.209First Release: 2019-07-01
Ransom.Win32.RYUK.THIABAIENT OPR 15.363
2019-09-13
Ransom.Win32.RYUK.HTWENT OPR 15.343
2019-09-03
Ransom_RYUK.THHBAAHENT OPR 14.457
2018-08-21
Ransom_RYUK.THHBAAOENT OPR 14.459
2018-08-22

Predictive Machine Learning

DetectionPattern Branch/Version
Troj.Win32.TRX.XXPE50FFF028In-the-Cloud
Troj.Win32.TRX.XXPE50FFF031In-the-Cloud

Behavior Monitoring

Policy IDPattern Branch/VersionRelease Date
RAN2455TTMTD OPR 1675
2017-06-28
RAN2194STMTD OPR 1939
2019-09-17
RAN2200TTMTD OPR 1939
2019-09-17

Web Reputation

Detection/Policy/RulesPattern Branch/Version
URL ProtectionIn-the-cloud

Anti Spam

Detection/Policy/RulesPattern Branch/Version
URL ProtectionIn-the-cloud

Network Patterns

Rules/Detections/Patterns
Deep Security and Vulnerability Protection (IPS)1008228 - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2017-0148)
1008306 - Microsoft Windows SMB Remote Code Execution Vulnerability (MS17-010)
1008328 - Identified Client Suspicious SMB Session
1008327 - Identified Server Suspicious SMB Session
1008227 - Microsoft Windows SMB Information Disclosure Vulnerability (CVE-2017-0147)
1008225 - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2017-0145)
1008224 - Microsoft Windows SMB Remote Code Execution Vulnerabilities (CVE-2017-0144 and CVE-2017-0146)
Deep Discovery InspectorRule 2435 - MS17-010 - Remote Code Execution - SMB (Request)
Rule 2528 - MS17-010 - Remote Code Execution - SMB (Request) - Variant 2
Relevance RulesRMS17-010-SMB_REMOTE_CODE_EXECUTION_EXPLOIT_NC_
MS17-010-SMB_REMOTE_CODE_EXECUTION_EXPLOIT-2_NC_
MS17-010-SMB_REMOTE_CODE_EXECUTION_EXPLOIT-3_NC_
SMB_EQUATED_RESPONSE_NC
Details
Public

Solution Map - What should customers do?

Trend Micro SolutionMajor ProductLatest VersionVirus PatternAnti-Spam PatternNetwork PatternBehavior MonitoringPredictive Machine LearningWeb Reputation




Endpoint Security
ApexOne2019



Update pattern via web console



Not Applicable
Update pattern via web console





Enable Behavior Monitoring and update pattern via web console




Enable Predictive Machine Learning




Enable Web Reputation Service and update pattern via web console
OfficeScanXG (12.0)


Not Applicable

Worry-Free Business Security
Standard (10.0)
Advanced (10.0)Update pattern via web console
Hybrid Cloud SecurityDeep Security12.0Update pattern via web consoleNot ApplicableUpdate pattern via web consoleEnable Behavior Monitoring and update pattern via web consoleEnable Predictive Machine LearningEnable Web Reputation Service and update pattern via web console





Email and Gateway Security
Deep Discovery Email Inspector3.5




Update pattern via web console





Update pattern via web console
Update pattern via web console




Not Applicable





Not Applicable




Enable Web Reputation Service and update pattern via web console
InterScan Messaging Security9.1


Not Applicable
InterScan Web Security6.5
ScanMail for Microsoft Exchange14.0
Network SecurityDeep Discovery Inspector5.5Update pattern via web consoleNot ApplicableUpdate pattern via web consoleNot ApplicableNot ApplicableEnable Web Reputation Service and update pattern via web console

Recommendation

Threat Report

Blogs

Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1123892
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.