Wednesday, April 30, 2025
HomeComputer SecurityRyuk Ransomware Attack on various Enterprise Network Around the World & Earned...

Ryuk Ransomware Attack on various Enterprise Network Around the World & Earned $640,000

Published on

SIEM as a Service

Follow Us on Google News

Newly spreading Ryuk Ransomware campaign targeting various enterprise network around the globe and encrypting various data in storage, personal computers, and data center.

The attacker made over $640,000 from various victims by demanding 15 BTC to 50 BTC in order to retrieve their files and some of the organization from the U.S and other countries are severely affected by Ryuk Ransomware.

Interestingly, further analysis revealed that the Ryuk Ransomware has used some of the capabilities from HERMES ransomware which is distributed by North Korean APT Lazarus Group.

- Advertisement - Google News

Researchers believe that Ryuk Ransomware might be another targetted campaign from Lazarus Group or malware author derived HERMES source code.

In this case, Attackers carefully pick the target and it’s intentionally built for small-scale enterprise networks and the attack carried out manually by the attackers.

Ryuk Ransomware Attack Flow

Initially, Ryuk distributed via massive spam campaigns and exploit kits and there is some specific operation such as extensive network mapping, hacking, and credential collection required before each operation.

Attackers using the same encryption logic that found in the HERMES ransomware and the similarities of the logic of the encryption process is almost the same as Ryuk.

Ryuk Ransomware kills more than 40 windows processes and stops more than 180 services by executing taskkill and net stop on a list of predefined service and process names.

Most of the services and processes are belonging to antivirus, database, backup and document editing software.

According to checkpoint Research, code injection technique holds the core functionality used by the ransomware for file encryption. It is started by decrypting a list of API function name strings using a predefined key and an array of the string lengths which is then used to dynamically load the corresponding functions.

Two different samples were discovered and the ransom notes of both versions are very similar that is sent to the victim.

“Longer, well-worded and nicely phrased note, which led to the highest recorded payment of 50 BTC (around $320,000), and a shorter, more blunt note, which was sent to various other organizations and also led to some fine ransom payments ranging between 15-35 BTC (up to $224,000).”

Once its complete all the cryptographic primitives, it encrypts every drive and network share on the victim system except the for any file or directory containing text from a hardcoded whitelist, which includes “Windows”, “Mozilla”, “Chrome”, “RecycleBin” and “Ahnlab”

This for the purpose of the victim’s web browser intact given that it may be required for reading the ransom note, purchasing cryptocurrency and so on.

Attackers using several wallets and victims need to pay the specific wallet that they received within the Ransom notes.

The researcher believes that this Ransomware attacker is completely targetted attack and specifically targeting the enterprise network.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

Researchers Reveal Threat Actor TTP Patterns and DNS Abuse in Investment Scams

Cybersecurity researchers have uncovered the intricate tactics, techniques, and procedures (TTPs) employed by threat...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

Researchers Uncovered RansomHub Operation and it’s Relation With Qilin Ransomware

Security researchers have identified significant connections between two major ransomware-as-a-service (RaaS) operations, with evidence...

RansomHub Ransomware Deploys Malware to Breach Corporate Networks

The eSentire’s Threat Response Unit (TRU) in early March 2025, a sophisticated cyberattack leveraging...