How to remove Ryuk Ransomware (Uninstall guide)

Posted by & filed under Ειδοποιήσεις.

Ryuk ransomware is the cryptovirus that targets companies with large ransom demands to make more profit from one attack. However, ransomware can also affect everyday users and corrupt or delete their data. You need a thorough system scan to terminate the malware in time.

Ryuk is a ransomware virus that has already attacked and encrypted data from several companies, data centers, and PCs. According to numerous speculations, the virus is hailing from the same family as Hermes ransomware which is attributed to an infamous Lazarus group. Once it gets into the system, Ryuk ransomware encrypts systematically selected data and makes it unavailable for the use. Additionally, it generates a RyukReadMe.txt ransom note on the desktop and all folders that can be found on the victim’s computer. It urges the victim to transfer a huge ransom (the ransom fee varies from 15 BTC to 50 BTC, depending on the amount of encrypted data) via provided Bitcoin wallet. Ryuk ransomware returned to the headlines after performing several attacks during the Christmas time, including the DataResolution.net cloud hosting provider. This new version has been named RYK ransomware due to the file extension appended. However, note that alternative it has been called as Cryptor2.0.

According to the latest news reports, Ryuk ransomware is still rapidly spreading throughout the Internet sphere and infecting users worldwide. The Federal Bureau of Investigation, also known as FBI, has made a research and found out that this cyber threat has launched dangerous attacks on more than 100 different types of businesses in The United States of America.

Additionally, all of this took place starting from August 2018 until the middle of May 2019. This is a very big number of infected companies throughout such period of time. Experts think that the reason why Ryuk ransomware has been so successful is that it also delivers other destructive viruses such as TrickBot and Emotet. The variety of suffered organizations is wide, such as logistics companies, technology-based manufactures, and similar.

Researchers are still working on getting more knowledge about Ryuk ransomware distribution means. However, it has been speculated that it is distributed in the form of phishing email attachment which typically presents itself as an invoice, business report, etc. Additionally, hackers are likely to abuse insufficiently protected RDP configurations to attack targeted companies.

To run on the computer, Ryuk malware needs to gain admin privileges. Therefore, each of the attacks needs to be carefully planned, credentials gathered, network mapped, etc. This led researchers from Check Point to believe that the infection is carefully engineered by sophisticated hackers who are experienced in targeted attacks. According to Check Point experts, the malware has extreme similarities to Hermes 2.1 ransomware which belongs to the infamous Lazarus group who were formerly associated with the North Korean army.

Ryuk ransomware – The functionality

Before infecting the device, Ryuk ransomware shuts down 180 services and more than 40 processes that are running on the system. The malware executes taskkill and net stop command on a predetermined list of processes and services.

The Ryuk virus then uses the kIUAm.exe executable file which is launched once the victim reboots the system. Right after that, it encrypts victim’s data, e.g., business documents, reports, photos, videos, databases, and other personal information with the specific file extension using the combination of RSA-4096 and AES-256 encryption algorithms.

Upon successful encryption, the virus generates ransom notes named RyukReadMe.txt and UNIQUE_ID_DO_NOT_REMOVE.txt. They read the following:

If the virus attacks a company or similar authority, it drops such note:

While Ryuk ransomware removal will not give users access to the files, it will get rid of the infection itself. We strongly recommend using reputable security software like Reimage or SpyHunter which is capable of destroying all the traces of malware.

While hackers are actively trying to convince victims that paying ransom is a great idea (they even go as far claiming that they will reveal the security hole and show how to fix it), security researchers advise not to. These people are from a high-profile crime organization and can not be trusted. Additionally, despite criminals’ warnings, you should remove Ryuk ransomware as soon as possible.

New Ryuk ransomware variant takes care that matching PCs will not be encrypted

A new version of Ryuk ransomware has been first spotted by experts from MalwareHunterTeam. This latest variant of the ransomware operates by using a newly-discovered technique. Once inserted on the computer, the malware will start searching for IP strings such as 10.30.4, 10.30.5, 10.30.6, and 10.31.32.

If these IPs are found by Ryuk ransomware on the targeted computer system, the virus does not perform any encryption on stored files and documents. Nevertheless, this file-locking threat detects the computer name and searches for strings such as “MSK”, “Msk”, “msk”, “SPB”, “Spb”, and “spb”.

If these two components match, Ryuk ransomware will not encrypt the computer also. According to the opinions of cybersecurity researchers, hackers use such technique to prevent encryption of computer systems which are based in Russia. However, such a technique might not seem quite successful if worming activities are performed.

Ransomware distributing techniques evolve from spam email to trojan malware

According to PC experts, the virus is using phishing email messages to get into the target PC systems. Usually, a large amount of these messages is sent to businesses to increase the number of encrypted files and earn bigger ransoms. Beware that you need only to click on an infected email attachment to get infected with ransomware. Such messages can also be filled with trustworthy-looking logos, addresses, and similar information pretending to be from Lloyds Bank, HSBC, and similar companies that could increase chances to infect the victim with the ransomware virus.

To avoid the loss of important data, you need to be extremely careful with emails from unknown senders. Make sure you doublecheck every line included and use your mouse to check the trustworthiness of links you have been sent to.

There is a theory that Emotet and TrickBot are used to distribute this ransomware. After gaining the connection to the target network, these viruses bring additional malware to the system in exchange for a certain fee. Often, the Trickbot has been rented only to certain people.

Make sure to remove Ryuk ransomware from the system using professional tools

To perform Ryuk removal, considering using manual removal techniques is difficult choice. This is a serious virus which travels around with numerous components that can be found only by running a full system scan with anti-spyware. These programs will not only help you get rid of infected files but will also fix your registry which is typically altered after infiltration of the virus.

Unfortunately, once you remove Ryuk ransomware from the system, your files will still be encrypted. That’s because the decryption key needed to recover locked data is saved on the remote servers that belong to the crew of this ransomware. However, don’t be desperate and think whether you have extra copies of your encrypted data saved on external devices. If no, use tips provided below to decrypt files encrypted by Ryuk.

 

Ryuk Removal Steps:

 

METHOD 1 – REMOVE RYUK USING SAFE MODE WITH NETWORKING

To delete Ryuk ransomware with Safe Mode, you need to perform this procedure on your computer. Repeat the scan when on normal mode.

Step 1: Reboot your computer to Safe Mode with Networking

Windows 7 / Vista / XP

    1. Click Start  Shutdown  Restart  OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Optionswindow.
    3. Select Safe Mode with Networking from the list

Windows 10 / Windows 8

  1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
  2. Now select Troubleshoot  Advanced options  Startup Settings and finally press Restart.
  3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings w

Step 2: Remove Ryuk

Log in to your infected account and start the browser. Download legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Ryuk removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

 

METHOD 2 – REMOVE RYUK USING SYSTEM RESTORE

To recover your system with System Restore, use the following guide:

Step 1: Reboot your computer to Safe Mode with Command Prompt

Windows 7 / Vista / XP

    1. Click Start  Shutdown  Restart  OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Optionswindow.
    3. Select Command Prompt from the list

Windows 10 / Windows 8

  1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
  2. Now select Troubleshoot  Advanced options  Startup Settings and finally press Restart.
  3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settingswindow.

 

Step 2: Restore your system files and settings

 

1. Once the Command Prompt window shows up, enter cd restore and click Enter.

2. Now type rstrui.exe and press Enter again.

3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Ryuk. After doing that, click Next.

4. Now click Yes to start system restore.

 

Once you restore your system to a previous date, download and scan your computer with a Spyware and make sure that Ryuk Removal is performed successfully.

 

The information contained in this website is for general information purposes only. The information is gathered from 2-Spyware while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.