Home / Spyware Help / Ryuk Ransomware Removal Guide

Ryuk Ransomware Removal Guide

by 0 Comments

Do you know what Ryuk Ransomware is?

Ryuk Ransomware is a major security threat that targets businesses and organizations. Like most of the ransomware infections out there, this program encrypts data files and displays a ransom note, ordering the victim to pay a ransom fee. Targeting businesses and organizations makes it more likely that Ryuk Ransomware would receive the ransom, but security experts tirelessly repeat that paying is not an option, and by paying companies would only allow this infection to thrive. Hence, it is far more important to remove Ryuk Ransomware from the affected system as soon as possible.

We have grounds to believe that the owners of the infection used a common ransomware code and tweaked it according to their preferences. Based on our research, Ryuk Ransomware seems to share some parts of its code with Hermes Ransomware. Unfortunately, we cannot use anything we know about Hermes Ransomware to battle this infection because even if ransomware programs share parts of their code, they are still unique, and so are the decryption keys necessary to decrypt the affected files. In fact, the best way to fight these infections is to prevent them from occurring rather than deal with them first hand.

To prevent the Ryuk Ransomware infection, you need to know how this program spreads. Our research team says that this program usually employs spam emails and unsafe Remote Desktop Protocol connections to affect businesses and other corporate computer systems. In other words, if just one employee opens a malicious file on their computer, if the computers are connected to a network, the infection spreads like fire through the entire network. As a result, it can paralyze the entire company.

Hence, it is important to be careful about new files you receive from unfamiliar senders. Even if you have a habit of opening new files automatically, please think twice before launching a spam email attachment. Of course, sometimes it might be hard to tell a spam email apart from a regular mail because they are so sophisticated these days. However, if we were to give one piece of advice, it would be thus: consider scanning the files with a security tool before opening them. With a little bit of training, any employee should be able to tell a regular file apart from something fishy. Yet, there is always a room left for doubt there, and if that happens, a file scan could save the day.Ryuk Ransomware Removal GuideRyuk Ransomware screenshot
Scroll down for full removal instructions

Now, what happens when Ryuk Ransomware enters the target system? When the infection hits the system, it runs a file encryption using a combination of the AES and RSA encryption algorithms. Unlike most of the ransomware infection, Ryuk Ransomware does not append its own extension to the encrypted files. When the encryption is complete, the program runs this command: vssadmin Delete Shadows /all /quiet. With this command, the program deletes all the Shadow Volume copies, and it may also try to delete other sorts of backup files, if it can recognize them. From this, we can see that the infection tries to make it sure that the victim has no way to retrieve their files.

Apart from encrypting the files and deleting the system backup, Ryuk Ransomware also displays the following ransom note:

Gentlemen!

Your business is at serious risk.
There is a significant hole in the security system of your company.
We've easily penetrated your network.

<…>

Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256.
No one can help you to restore files without our special decoder.

<…>

You have to pay for decryption in Bitcoins.
The final price depends on how fast you write to us.
Every day of delay will cost you additional +0.5 BTC
Nothing personal just business

It is clear to see that the main objective of the criminals behind Ryuk Ransomware is financial profit. They might say they will issue the decryption key once the ransom is paid, but there is no guarantee for that. Businesses and corporations should not succumb to these threats because they might end up losing their money and not getting their data back.

It would be recommended to address an experienced technician or a cyber security specialist who would come up with a list of potential file recovery options. It would be a lot more convenient and most probably cheaper.

How to Delete Ryuk Ransomware

  1. Delete the most recently launched file.
  2. Press Win+R and enter regedit. Press OK.
  3. Open HKEY_CURRENT_USER\Software\Microsofot\Windows\CurrentVersion\Run.
  4. Right-click and delete the svchos value on the right.
  5. Remove malicious files from your Desktop.
  6. Run a full system scan with SpyHunter.

In non-techie terms:

Ryuk Ransomware is a malicious program that can cripple the entire computer network. It usually arrives with a spam email message and people infect their computers with this program accidentally. It might not be possible to restore most of the encrypted files, and users should be mentally ready for that. If you are willingly to wait, you might also check later to see if there’s a public decryption tool available. There is not such tool out there at the moment of writing, so you need to remove Ryuk Ransomware and protect your computer from similar intruders yourself.