This article will aid you to remove .RYK File virus. Follow the ransomware removal instructions provided at the end of the article.

ryuk ransomware virus RYK extension ransom note

RYK (Ryuk) Ransomware Virus

Ryuk Ransomware, also known as .RYK File Virus will encrypt your data and demands money as a ransom to get it restored. Files will receive the .RYK extension as a secondary one, without any changes made to the original name of an encrypted file. The .RYK File Virus will leave ransomware instructions inside a text file. Keep on reading the article and see how you could try to potentially recover some of your locked files and data.

Threat Summary

Name Ryuk Ransomware
Type Ransomware, Cryptovirus
Short Description The ransomware encrypts files by placing the .RYK extension on your computer system and demands a ransom to be paid to allegedly recover them.
Symptoms The ransomware will encrypt your files and leave a ransom note with payment instructions.
Distribution Method Spam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Ryuk Ransomware


Malware Removal Tool

User Experience Join Our Forum to Discuss Ryuk Ransomware.
Data Recovery Tool Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

February 2020 Ryuk Ransomware New Findings

As more and more information becomes available about the infections, new findings indicate how one of the latest campaigns is set against the target users. Multiple criminal groups organize specially victim-centric campaigns tht in the end have resulted in a total revenue of about 3.7 million dollars. A very large part of the infections are set against enterprise networks — the businesses are far more likely to hold valuable data and pay the ransomware decryption fee. During the initial infection in some of the campaigns the analysts have uncovered that other malware have been used as well. Ryuk ransomware attacks have also used TrickBot and Emotet to send email spam campaigns to prospective victims.

Some of the specific vulnerabilities which are targeted by the Ryuk ransomware include the following:

  • CVE-2013-2618 — This is a cross-site-scripting bug (XSS vulnerability) in Network Weathermap versions before 0.97b. The problem lies within editor.php which allows hackers to inject web scripts or HTML code.
  • CVE-2017-6884 — This is an issue in Zyxel EMG2926 with firmware version V1.00(AAQT.4)b8 which is categorized as a command injection vulnerability. The problem lies in the nslookup diagnostic tool which can be exploited by the hackers.
  • CVE-2018-8389 — This is a remote code execution in Internet Explorer.
  • CVE-2018-12808 — A remote code vulnerability was discovered in Adobe Acrobat and Reader applications. The hackers are primarily using SPAM email messages which include scripts that exploit the applications.

February 2020 Ryuk Ransomware New Samples

February 2020 started with another development around the Ryuk ransomware. This time its a new sample that provides a new contact email address — An analysis of the file shows that the active campaign may be launched by a different hacking group than the previous samples. What’s interesting is that the new Ryuk virus has been able to stop some of the automated analysis tools during the initial checks. This means that it can allow the remote attackers to carry out Trojan operations — the overtaking of control over the machines, data theft and the installation of other viruses. What’s particularly noteworthy about the new release is that it can drop multiple virus files which makes recovery much more difficult.

January 2020 Ryuk Ransomware Update

In the end of January 2020 a new update to the Ryuk ransomware has been released which includes a signed certificate which will make it harder to differentiate it from malware as the system will trust it as a safe file. The certificate authority that has issued it has provided a long expiration date and all required parameters.

The virus engine contains many features that are also part of the previous samples. Some of the major components of the new releases include the following:

  • Active Cryptocurrency Module — The security analysis shows that the new virus releases include a cryptocurrency module. It will take advantage of the available hardware resources by running a sequence of intensive and complex mathematical tasks. For each completed job the hackers will receive cryptocurrency directly to their wallets.
  • Advanced Security Bypass — This particular update includes an extensive list of security bypass techniques that are called in order to hide the presence of the virus from both the operating system and anti-virus products.
  • Trojan Functions — Not only will the Ryuk ransomware report back to the hackers through a secured connection, but will also exhibit banking Trojan functionality. This means that the engine will actively scan if the users are using any online banking services and attempt to steal the credentials or manipulate them. The reason why this is done is to conduct financial abuse crimes.
  • Code Execution — The Ryuk ransomware is capable of executing dangerous scripts and codes on the infected machines. This is especially dangerous as the virus can obtain administrative privileges.

The information gathering process is rated as extremely in-depth and detailed. Contaminated hosts will usually have a lot of information hijacked and sent to the users.

One of the latest updates to the Ryuk ransomware adds in a Wake-on-Lan feature which is found only among the most dangerous computer threats. The security researchers have uncovered that the code has been placed among some of the latest versions of the virus. In live attacks the ransomware will turn on shut down devices as soon as a network has been impacted. This is mostly effective in business and enterprise scenarios where this functionality is used on a daily basis. Administrators typically rely on it to push updates or run scheduled tasks when the computers are not in use.

The mechanism is done by launching a virus-controlled sub process with a special argument called “8 LAN”. If the Wake-on-Lan action is successful then the Ryuk will attempt to mount the main drive (C:) over a network share. This will allow the main engine to encrypt files remotely and thus spread onto other machines. By following this mechanism in a matter of minutes the Ryuk ransomware can potentially infect hundreds of machines.

.RYK File Virus (Ryuk) – Distribution Techniques

The .RYK File ransomware might distribute itself via different tactics. A payload dropper which initiates the malicious script for this ransomware is being spread around the World Wide Web, and researchers have gotten their hands on a malware sample. If that file lands on your computer system and you somehow execute it – your computer device will become infected. Below, you can see the payload file of the cryptovirus being detected by the VirusTotal service:

ryuk ransomware virus RYK extension virustotal detection page

Freeware which is found on the Web can be presented as helpful also be hiding the malicious script for the cryptovirus. Refrain from opening files right after you have downloaded them. You should first scan them with a security tool, while also checking their size and signatures for anything that seems out of the ordinary. You should read the tips for preventing ransomware located at the corresponding forum thread.

.RYK File Virus (Ryuk) – Technical Details

.RYK FilesVirus is actually ransomware, so it encrypts your files and opens a ransom note, with instructions inside it, about the compromised computer machine. The extortionists want you to pay a ransom fee for the alleged restoration of your data. The ransomware is a variant of an older

Ryuk Virus which had a similar ransom note.

.RYK File Virus might make entries in the Windows Registry to achieve persistence, and could launch or repress processes in a Windows environment. Such entries are typically designed in a way to start the virus automatically with each boot of the Windows Operating System.

After encryption the .RYK File virus creates a ransom note inside a text file. The note is named RyukReadMe.txt as you can see from the below screenshot:

ryuk ransomware virus RYK extension ransom note message

The note reads the following:

Your network has been penetrated.

All files on each host in the network have been encrypted with a strong algorithm.

Backups were either encrypted
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.

We exclusively have decryption software for your situation
More than a year ago, world experts recognized the impossibility of deciphering by any means except the oridinal decoder.
No decryption software is available in the public.
Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data.

DO NOT RESET OR SHUTDOWN – files may be damaged.
DO NOT DELETE readme files.

To confirm our honest intentions.Send 2 different random files and you will get it decrypted.
It can be from different computers on your network to be sure that one key decrypts everything.
2 files we unlock for free.

To get info (decrypt your files) contact us at

BTC wallet:

No system is safe

Even if a note is shown, you should NOT under any circumstances pay any ransom sum. Your files may not get recovered, and nobody could give you a guarantee for that. Adding to that, giving money to cybercriminals will most likely motivate them to create more ransomware viruses or commit different criminal activities. That may even result to you getting your files encrypted all over again after payment.

.RYK File Virus (Ryuk) – Encryption Process

The encryption process of the .RYK File ransomware rather simple – every file that gets encrypted will become simply unusable. Files will get the .RYK extension after being locked. The extension is placed as a secondary one, without any changes made to the original name of an encrypted file.

A list with the known, targeted extensions of files which are sought to get encrypted is currently very small. Files which get encrypted have the following extensions:

→ .doc, .docx, .jpg, .jpeg, .xls, .xlsx, .pdf

The files used most by users and which are probably encrypted are from the following categories:

  • Audio files
  • Video files
  • Document files
  • Image files
  • Backup files
  • Banking credentials, etc

The .RYK File cryptovirus could be set to erase all the Shadow Volume Copies from the Windows operating system with the help of the following command:

→vssadmin.exe delete shadows /all /Quiet

In case the above-stated command is executed that will make the effects of the encryption process more efficient. That is due to the fact that the command eliminates one of the prominent ways to restore your data. If a computer device was infected with this ransomware and your files are locked, read on through to find out how you could potentially restore some files back to their normal state.

.RYK File (Ryuk) Virus – Update September 2019

September 2019 brings another update for the RYK ransomware virus. In the picture below you can see the current detections for the new variant on the VirusTotal platform:


The new e-mail addresses that the cybercriminals are using in the ransom notes are the following:


The ransomware seems to be booming and not faded as people would have hoped. Be wary when browsing the Internet and do backups to avoid being a victim of RYK ransomware virus.

.RYK File (Ryuk) Virus – Update August 2019

Throughout July and the beginning of August 2019 a new attack campaign with the Ryuk ransomware has been detected. It does not differ significantly from previous samples as it uses the same distribution tactics. Depending on the actual local conditions and hacking instructions various malicious actions can be made. As this is a modification of the base engine we anticipate that the hackng group behind it may have ordered the customization on the underground markets. An alternative is for them to have created the threat by themselves. This is done by taking the original source code and making the necessary changes.

When the malicious actions have all completed running the file encryption module will start. Once again using a built-in list of target file type extensions the Ryuk files virus will target the most common user data:

  • Documents
  • Databases
  • Multimedia Files
  • Archives
  • Backups
  • Restore Points & System Data

Again the .RYK extension will be applied to the files and the victims will be blackmailed to pay a decryption fee to the hackers.

.RYK File (Ryuk) Virus – Update June 2019


Ryuk Ransomware has been updated to check the output of the “arp –a” parameter for specific IP address strings. In case these strings are found, the ransomware will not encrypt the files on that computer. Here are some of the partial IP address strings in question: 10.30.4, 10.30.5, 10.30.6, or 10.31.32.

Another update of Ryuk includes the ransomware comparing the computer name to the strings “SPB”, “Spb”, “spb”, “MSK”, “Msk”, and “msk”, and if those are found, the computer won’t be encrypted. It is most likely that all this is done so that the ransomware operators don’t target computers in Russia for encryption. As for the rest of its activities, they appear to be the same as in the previous version.

.RYK File (Ryuk) Virus – Update December 2019

According to the latest information from December 2019 released by EmsiSoft researchers:

The decryptor provided by the Ryuk authors will truncate files, cutting off one too many bytes in the process of decrypting the file. Depending on the exact file type, this may or may not cause major issues. In the best case scenario, the byte that was cut off by the buggy decryptor was unused and just some slack space at the end created by aligning the file towards certain file size boundaries. However, a lot of virtual disk type files like VHD/VHDX as well as a lot of database files like Oracle database files will store important information in that last byte and files damaged this way will fail to load properly after they are decrypted.

In simple words, this means that paying the ransom to cybercriminals will likely not result in the successful decrypton of enciphered data.

Remove .RYK File Virus (Ryuk)

If your computer system got infected with the .RYK File ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Tsetso Mihailov

Tsetso Mihailov is a tech-geek and loves everything that is tech-related, while observing the latest news surrounding technologies. He has worked in IT before, as a system administrator and a computer repair technician. Dealing with malware since his teens, he is determined to spread word about the latest threats revolving around computer security.

More Posts

Follow Me:

Source link

Write a comment:

Your email address will not be published.