Threat Actor Profile
Ryuk
Ryuk is a prolific ransomware group first identified in 2018. Known for targeting large enterprises, public services, and critical industries such as healthcare and government, Ryuk rose to prominence with its high-stakes "big game hunting" strategy. Leveraging sophisticated multi-stage attack chains and commodity malware like TrickBot, Ryuk inflicted severe operational disruptions and generated significant ransom payments. The group’s activities highlight the evolving and persistent danger of financially motivated ransomware campaigns.
Threat Actor Profile
Ryuk
Country of Origin
Ryuk’s operations have been consistently linked to Russian-language cybercriminal ecosystems. Open-source intelligence and industry analysts generally attribute the group to organized cybercriminals based in or connected to the Russian Federation. There is no evidence suggesting ties between Ryuk and state-sponsored hacking groups; its focus remains largely financial.
Members
Ryuk appears to operate using a decentralized structure. Initial access is often secured via third-party access brokers who leverage loaders such as TrickBot, Emotet, and BazarLoader. Post-compromise operations are conducted by dedicated exploitation teams. By outsourcing various stages of their campaigns, Ryuk operators maintain flexibility, making it difficult to ascertain the exact size or composition of their organization.
Leadership
The leadership of Ryuk remains unknown. Public and private intelligence sources have not uncovered any evidence identifying specific individuals or aliases as key leaders. This opacity is characteristic of modular cybercriminal organizations, where responsibilities are compartmentalized across teams and affiliates.
Ryuk TTPs
Tactics
Ryuk employs a "big game hunting" tactic, specifically targeting organizations with significant financial resources and operational dependencies. Their goal is to maximize ransom payouts by leveraging the critical impact of their attacks on business continuity.
Techniques
Ryuk actors often use phishing emails with malicious attachments to deliver loaders like TrickBot and BazarLoader. These loaders facilitate further payload deployment, including credential harvesting tools and the Cobalt Strike framework. Once inside a network, lateral movement and reconnaissance enable the deployment of the Ryuk ransomware.
Procedures
Typical procedures include exploiting Remote Desktop Protocol (RDP) weaknesses, using stolen credentials for privileged access, establishing persistence through tools like PowerShell and scheduled tasks, and manually exfiltrating sensitive data. The final stage involves file encryption, paired with a ransom note demanding payment in cryptocurrency.
Want to Shut Down Threats Before They Start?
Notable Cyberattacks
- Tribune Publishing Attack (2018) — One of Ryuk’s early notable incidents, this attack disrupted print operations for several major newspapers.
- Healthcare Ransomware Campaign (2020) — U.S. healthcare facilities were warned of imminent ransomware threats tied to Ryuk, resulting in critical service disruptions and significant financial losses.
Law Enforcement & Arrests
While large-scale law enforcement efforts targeted various components of Ryuk’s attack chain, specific arrests tied directly to Ryuk operators are limited. Notable disruptions include takedowns of TrickBot and other loaders integral to Ryuk’s campaigns. Collaboration between private cybersecurity firms and agencies like the FBI and CISA remains key in mitigating their impact.
How to Defend Against Ryuk
Harden systems: Patch critical vulnerabilities in public-facing systems.Restrict or disable RDP; enforce MFA for remote access.Improve email filtering and attachment scanning.
Monitor and detect early loaders: Hunt for behaviors associated with TrickBot, Emotet, and BazarLoader.Deploy endpoint detection and response (EDR) tools with PowerShell and Cobalt Strike monitoring.
Backup resilience:Create offline, immutable backups and routinely test recovery processes.
Incident response: Implement detailed ransomware playbooks and run regular tabletop exercises.
User Awareness Campaigns: Train employees to recognize phishing attempts and follow cybersecurity best practices
Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating Ryuk threats with enterprise-grade technology.
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
