Home»Google Workspace Ransomware Protection»Ryuk Ransomware: Definition and Protection Strategies 

Ryuk Ransomware: Definition and Protection Strategies 

The average ransomware demand continues to grow. One particular virus is to blame. We are talking about the Ryuk ransomware. This infamous malware shows: hackers are getting more serious than they have ever been before.

Protect your business-critical data today

What is Ryuk Ransomware

Ryuk is a highly dangerous ransomware that targets companies and governmental organizations alike. This ransomware encrypts cloud data, damaging the whole network of an organization. Ryuk virus has made a name for itself targeting businesses that supply services to other companies — particularly cloud-data firms — with the ransom demand set according to the victim’s financial capability.

Firstly detected in 2018, Ryuk has extorted at least $3,7 million, just in the first 52 payments. Ryuk targets large organizations, using advanced encryption algorithms that are extremely hard to decrypt.

The ransom demand is insane: up to $14 million (!) in Bitcoin. To compare, the infamous WannaCry demanded nearly $300 for decryption. Due to Ryuk, the average ransomware demand has grown to $41,198.

Related Link: Ransomware Ecosystem: How Hackers Cash Out Bitcoins

The ransom demand is set according to the approximate value of the encrypted data. This is evidence of solid research done by hackers before the attack.

Taking into account Ryuk’s advanced technology and financial research, it’s safe to conclude: Ryuk authors are not some home-grown rookies, but serious and well-organized professionals.

How Ryuk Works

Similar to other ransomware, Ryuk spreads by phishing emails or malicious pop-ups. Once a user clicks the infected link, Ryuk gets into the system. After some time, Ryuk encrypts the business-critical data. The damaged files can’t be decrypted without a special digital key that hackers promise to provide once the ransom is paid. You can read more about how ransomware works in our recent article.

Contrary to the majority of ransomware families, Ryuk is targeted. It means that instead of randomly sending phishing emails to anyone, hackers carefully choose the target to infect with Ryuk.

The targets are usually enterprises that have a lot to lose and will be willing to pay to get their data back. Ryuk works like a secondary payload through botnets Emotet and TrickBot.

Hackers send emails with infected attachments> User clicks the attachment > Botnet (Emotet or TrickBot) is downloaded > Virus moves through the infected network > Ryuk is executed > Data becomes encrypted > User gets a ransom note

When infiltrating the system, Ryuk converts non-executable files in the .ryk file extension. In all infected folders, you can find a text file called RyukReadMe that notifies you about the attack. Also, the note mentions a Bitcoin address for paying a ransom to get your files back.

What makes things worse is that Ryuk can stay silent for weeks or months to gather more information and maximize the impact. The virus identifies the shared folders and deletes the virtual shadow copy. This means hackers can simply ban the Windows System Restore option. Therefore, if you don’t have an external backup, you may not be able to recover your files.

Ransomware Protection Free Trial

Ryuk often encrypts Microsoft Office 365 data, that’s why it is crucial for organizations to have a backup for Office 365 and use ransomware detection software that can stop the ransomware attack from spreading through the network. We’ll talk about it in detail at the end of the article.

Ryuk Attacks

Florida ransomware attack, June 2019. Ryuk attacked two city councils in Florida: Lake City, and Riviera Beach City. The attack immobilized local networks, forcing the councils to pay. The sum paid to hackers exceeded $1 million dollars.

La Porte County, July 2019. The county in Indiana suffered an attack that affected nearly 7% of the local administration’s laptops.

Hackers collected $130,000 in Bitcoin as a ransom to restore systems after the attack. However, the network still took days to recover completely.

VCPI attack, November 2019. The attack targeted a Milwaukee-based IT company operating with cloud data. As a result, the workflow of 110 clients across 45 U.S. states was disrupted. More than 80,000 computers and servers powering care facilities were affected.

Ryuk infected the Office 365 accounts of the company. Hackers demanded $14 million in Bitcoin to decrypt the damaged data.

The initial infection, presumably, occurred in September 2018. That means the virus had been moving through the system for 14 months before the encryption started.


You can read more about these and other attacks in our article about ransomware attacks of 2019.


What Can You Do if Ryuk Infection Happens?

There is no reliable Ryuk decryptor on the market, and an available one seems to be broken. That’s why in case of infection you have just three options: say your data goodbye, pay the ransom, or restore damaged files from backup. You won’t be happy with the first two. Accepting data loss leads to huge financial and reputational damage. Making ransom payments might be just a waste of money, as hackers may not give you the decryption key.

Restoring encrypted files from a backup is the only valid solution. If you backed up your data, you can be sure that you can recover it in case of an attack. Backup is proven to be effective against Ryuk: Louisiana’s Office of Technology Services avoided paying the ransom due to recovering its computer systems from backups and getting rid of Ryuk.


Would you like to learn more about backups? Read about why you need Office 365 backup. Or sign up for a Free Trial of our automated highly customizable backup solutions for G Suite and Office 365.


Ryuk Ransomware Prevention

Universal ransomware protection rules can be applied to Ryuk as well. As we’ve mentioned before, having a backup is a great way to keep your data safe from ransomware.

Though being very effective, recovering files from a backup take some time. That’s much better than paying a ransom, but while you’re waiting for your data to recover, your business is losing money. That’s why the best way to protect your data from Ryuk is by combining backup with anti-ransomware tools that can effectively block ransomware attacks. These tools detect a ransomware infection ASAP and stop the infection process, which results in a lesser number of files compromised and faster recovery from a backup.

In addition to backup, we offer ransomware protection software for Office 365 or G Suite. SpinOne identifies ransomware and blocks its source, keeping the number of affected data as low as possible. After the threat has been neutralized, all encrypted files are recovered from a backup automatically.

Ryuk Ransomware

Here you can read more about SpinOne and how it protects you against ransomware.

SaaS downtime can cause substantial financial losses or even business closing. Learn what causes downtime, how to calculate its cost, and minimize its impact.

What is downtime in SaaS?

If strictly sticking to the dictionary definition, downtime is the period when a certain tool isn’t available for use. What’s missing in this definition is the emphasis on our critical need in the tool.

Let’s say we have a broken hummer at home. It can stay in such a condition for a month. And we won’t experience “downtime.” Not until we need to drive a nail into a wall and find it impossible to complete with a broken hummer.

Another important aspect of downtime is impeding certain activities and operations, and ultimately the achievement of the goals.

These aspects can be extrapolated to business:

Business downtime is the period when mission-critical operations are interrupted due to the inability to use a certain tool. This can refer to physical equipment, like PCs or machinery, or software tools.

SaaS downtime is a type of business downtime in which subscription-based software tools malfunction and impede operations. It can have a significant impact on companies that heavily depend on such solutions.

Causes of SaaS downtime

The primary cause of SaaS downtime is a cyber incident. We can outline two types of causes:

  • External
  • Internal

External causes take place on the provider’s side (thus they are external to the business using the tools). These causes include software bugs, vulnerabilities exploit, or due to the maintenance works.

Internal causes are cyber events that took place on the user side. These include:

  1. Power/Internet outages that disable access to the SaaS solution.
  2. Successful cyber-attacks happen due to the vulnerabilities in a company’s cybersecurity (e.g. ransomware).
  3. Employee errors (e.g., accidental deletion of files or improper solution setting by admins).
  4. Payment failure.

The key difference between external and internal causes of downtime is the amount of control a company has over it. Your business can neither prevent nor take timely actions when your SaaS tools stop working due to external causes. All you have to do is wait until the provider fixes the problem.

When it comes to internal causes, businesses have much better control. They can mitigate the risks, prevent some cyber events, and create a plan to minimize their impact in case of occurrence. In this article, we’ll primarily focus on the internal causes of SaaS downtime.

Impact on business

As mentioned above, modern businesses heavily depend on SaaS solutions. Tools like Google Workspace, Microsoft Office 365, and Salesforce contain some of the most critical information. Furthermore, they automate and streamline important processes like collaboration on documents, tracking sales pipeline, data analysis, etc. Not being able to use these tools or the data they store can have a detrimental impact on business operations.

Downtime consequences:

  1. Opportunity losses.
  2. Employee productivity decline.
  3. Reputational losses.
  4. Legal consequences.
  5. Financial losses.
  6. End of business.

Let’s take a closer look at each of them.

Business opportunities are usually limited in time. A downtime can paralyze the operations of departments that work on the conversion of opportunities into real projects.

Downtime damages employee productivity in several ways. First, people can feel frustrated about their inability to complete their tasks and uncertain about their future. Second, it’s hard to regain productivity after the end of downtime because it’s often difficult to focus after not working for some time.

Reputational losses occur when a business fails to deliver results to its clients. Rating decrease on ranking websites, bad reviews, and word of mouth can be ruthless in spreading the story of your failure.

Some customers can go as far as a lawsuit. Another example of legal consequences is the failure to comply with certain rules and regulations.

All these events will inevitably lead to financial losses. We’ll take a deeper look at them in our next section.

Last but not least is the possibility of business termination. It heavily depends on multiple factors. For example, large companies often have insurance and a budget to recover from such incidents. Meanwhile, smaller companies are often more dependent on day-to-day income. Previous reputational losses also might add up to the current ending of operations.

Cost of downtime

The cost of downtime differs significantly depending on multiple factors including company size, industry, location, and type of operations. For example, the cost of downtime was over $300K per hour in 2022 for 90% of SMBs, and over $1M for 44% of medium and large companies.

How to calculate cost of downtime

There are different ways to calculate downtime. The first thing that comes into mind is to assess the loss of revenue. However, we suggest adding several contributing factors.

The components of downtime cost:

  1. Loss of revenue

Every minute of downtime your business will be spending money but hardly making them. You can use a formula to get your hourly revenue:

[annual revenue] / 52 weeks = [average weekly revenue]

[average weekly revenue] / business hours = [average hourly revenue]

Now, you can find out how much revenue your business lost during the downtime period.

  1. Loss of productivity

This factor is hard to estimate since you need to understand how much the productivity of your employees dropped. Have their operations been completely paralyzed or they can still complete certain tasks? We suggest using the following formula:

[number of employees] * [average total compensation per hour] * % of [lost productivity] / 100 = [cost of lost productivity per hour]

  1. Operating cost (without salaries and compensations)

Operating cost includes COGS (Cost of goods sold) and operating expenses, such as rent, accounting, legal fees, etc. The operating expenses also include employee compensation. Do not include them since you’ve already included those in your Loss of productivity calculation.

  1. Penalties and legal fees

It’s hard to predict how much your business will have to spend in court. However, in most cases, the penalties and fines are set up by law. And you can add them to your downtime cost calculations.

  1. Reputational loss

It is hard to calculate the financial loss of reputational damage. One of the suggestions is to calculate the annual costs of the marketing and PR departments. Then multiply it by the perceived percentage of reputational loss. Otherwise, you can ask these teams to estimate the cost of rebuilding your reputation.

One more way is to compare the predicted number of customers over the next several months vs. the real one. However, it can only be done after some period of time after the downtime happened.

Maximum tolerable downtime

In Disaster recovery planning, experts often use maximum tolerable downtime or alternatively maximum allowable downtime. MTD is necessary to understand how fast the recovery should be carried out.

According to NIST:

Maximum tolerable downtime is downtime that does no significant harm to an organization’s mission.

Davit Davit Asatryan Director of Product
About Author

Davit Asatryan is the Director of Product at Spin.AI

He is responsible for executing product strategy by overseeing the entire product lifecycle, with a focus on developing cutting-edge solutions to address the evolving landscape of cybersecurity threats.

He has been with the company for over 5 years and specializes in SaaS Security, helping organizations battle Shadow IT, ransomware, and data leak issues.

Prior to joining Spin.AI, Davit gained experience by working in fintech startups and also received his Bachelor’s degree from UC Berkeley. In his spare time, Davit enjoys traveling, playing soccer and tennis with his friends, and watching sports of any kind.

Featured Work:

Webinar:

Frequently Asked Questions

Is Ryuk ransomware still active?

Ryuk ransomware actively proliferated between August 2018 and June 2022. The first appearance of the ransomware was related to encrypting the files of hundreds of small municipalities and tech companies around the world. One of the latest publicly infamous Ryuk attacks occurred in November 2020, when the ransomware hit the Baltimore County Public School system massively disrupting their remote educational services. Since 2021, the Ryuk ransomware has been in its latent phase. This may be related to the sentencing of the gang broker Denis Dubnikov after he pleaded guilty to charges related to laundering money for the Ryuk ransomware group in April 2023. However, the experts say that Ryuk ransomware has not disappeared but evolved and can now spread without human interaction, like a more typical worm rather than a computer virus.

What does Ryuk ransomware do?

Like most of the infamous ransomware, the Ryuk uses phishing emails or malicious pop-ups as the most common attack vectors. Once a user clicks the infected link, Ryuk encrypts files, data, and system access, making it impossible to retrieve information or/and enter the systems. Additionally, it disrupts the system restore feature, leaving victims with the dilemma of losing data or meeting the ransom demands.

How much did Ryuk ransomware cost in damages?

The Ryuk ransomware attacks belong to the biggest in damage and recovery cost in recent memory. For instance, the Baltimore County Public School system, which fell victim to the Ryuk ransomware in 2021 and had their remote educational services massively disrupted, reported having spent more than $8.1m recovering from it. United Health Services (UHS), which experienced the Ryuk ransomware attack in September 2020, estimates the attack it $67 million.