Ryuk

Ryuk is a prolific ransomware group first identified in 2018 and widely associated with Russia in the provided reporting. It is described as a financially motivated, destructive “big game hunting” ransomware operation that targeted large organizations, including companies, hospitals, local governments, and backup infrastructure. The content links Ryuk to Russia-based cybercrime and notes that numerous major ransomware groups, including Ryuk, have been linked to Russia. The group’s operations commonly involved multi-stage intrusion chains and access provided by other malware and affiliates. The content directly links Ryuk to BazarCall campaigns, BazarLoader/Kegtap, TrickBot, Emotet, Buer Loader, Cobalt Strike, and SystemBC. Reported Ryuk intrusions began with phishing or malspam, then progressed to rapid Active Directory and host discovery using built-in Windows tools and AdFind, credential theft and Kerberoasting with tools such as Rubeus, and lateral movement via WMI, SMB, RDP, remote services, and PowerShell. The group also used BloodHound/SharpHound for AD attack-path mapping. In observed incidents, operators disabled defenses with PowerShell, used GMER to find and shut down hidden processes and antivirus software, stopped backup- and database-related services, modified permissions with icacls, and deleted shadow copies using vssadmin commands such as "vssadmin Delete Shadows /all /quiet" and shadow storage resizing. The content describes Ryuk as using a fast operational tempo in some cases, with progression from phishing to domain-wide ransomware deployment in as little as about five hours or 29 hours in separate incidents. Backup servers were prioritized in multiple reports. Ryuk ransom demands were high-value; one report cited a demand of more than 600 BTC, and the FBI was cited as reporting that $61 million had been paid to the group as of February 2020. Ryuk is also described as part of a broader cybercrime ecosystem. Emotet operators rented access to infected machines to ransomware operations such as Ryuk, and TrickBot infections were described as enabling access for Ryuk deployment. The content states that Silent Ransom Group actors were previously part of the Ryuk and Conti cybercrime syndicate, and that Conti emerged in 2020 as a successor to Ryuk. Reporting also notes financial facilitation tied to Ryuk, including account and exchange services linked to Garantex and laundering support from the Smart/TGR networks; one article states that associates of Ekaterina Zhdanova helped clients including the Ryuk ransomware group obtain overseas tax residency, identification cards, and bank accounts to move illicit funds. Known aliases in the provided content are Ryuk and ryuk_ransomware_group.