Ryuk ransomware earnings top $150 million

The devastating strain is now among the most widely-deployed following several high-profile attacks in 2020

Abstract image of a padlock above a large ransomware sign to symbolise cyber security

The operators behind the notorious Ryuk ransomware family, one of the world’s fastest-spreading strains, have earned more than $150 million (roughly £110 million) through criminal activity to date.

The ransomware strain has targeted high-profile organisations across the world in recent months, accruing millions of dollars in ransom payments, normally in Bitcoin from a single broker, according to research by Advanced-Intel and HYAS.

Analysis of Bitcoin transactions from known Ryuk addresses has revealed a criminal enterprise estimated to be worth more than $150 million, with ransom payments sometimes amounting to millions of dollars at a time.

Several major organisations have fallen at the hand of Ryuk last year, including French IT services giant Sopra Steria, which confirmed in October it was targeted in an attack that took weeks for the firm to recover from. This incident reportedly cost the company up to €50 million (approximately £45 million). Ryuk has also targeted healthcare organisations in the past, including attacks on several US hospitals in September last year.

Advanced-Intel researcher Vitali Kremez previously revealed in November 2020 that Ryuk’s largest ransom payment was 2,200 Bitcoins, worth $34 million (roughly £25 million) at the time. If that ransom was paid today, it would be worth more than $90 million (more than £66 million), due to the recent Bitcoin surge.

The scale of disruption caused by Ryuk is impressive considering it’s a relatively young strain which only rose to prominence in 2020, having previously been relatively obscure. Research shows only 5,123 attacks were recorded in the first three quarters of 2019, for instance, compared to 67 million during 2020, with Ryuk comprising a third of all ransomware attacks last year.

The new research also outlined how precursor malware strains, which infect enterprise systems before Ryuk is deployed, assess targets for how lucrative they may be. These calculate a score based on various factors to determine how likely victims might be to pay a larger ransom, which informs the operators’ next steps.

The Ryuk hackers are also described as “very business-like” in the report, and “have zero sympathy for the status, purpose, or ability of the victims to pay”. Victims may attempt to negotiate, but the operators commonly respond with a one-word denial. In one case, Ryuk refused to acknowledge the fact that an organisation lacked the means to pay due to being involved in poverty relief. 

The researchers cited various steps that organisations can take to best protect themselves against being hit by Ryuk or any of the precursor malware strains, including Emotet, Zloader, and Qakbot among others.

Related Resource

Securing a remote workforce with a zero-trust strategy

Why zero-trust is the latest foundational cyber security construct for the modern workplace

Download now

These approaches include restricting the execution of Microsoft Office macros to prevent malicious scripts from running in enterprise environments, as well as ensuring all remote access points are up-to-date and require multi-factor authentication (MFA).

Finally, organisations should consider the use of remote access tools as especially risky, including Citrix and Microsoft remote desktop protocol (RDP). The exposure of these systems should, therefore, be limited to a specific list of IP addresses when their use is required.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now


Best ransomware removal tools

Best ransomware removal tools

9 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type

How to find RAM speed, size and type

8 Apr 2021
Roadmap 2021: What’s coming from 3CX
Advertisement Feature

Roadmap 2021: What’s coming from 3CX

30 Mar 2021