GovWhitePapers Logo

Sorry, your browser is not compatible with this application. Please use the latest version of Google Chrome, Mozilla Firefox, Microsoft Edge or Safari.

Security Primer – Ryuk

Ryuk is the most prevalent ransomware variant in the state, local, tribal, and territorial (SLTT) government sector. It is the number one reported variant of 2019, accounting for approximately a quarter of incidents reported to the MS-ISAC. Ryuk and ransomware infections in general continue to increase in tandem with their overall impact and monetary demands. Furthermore, Ryuk’s ability to delete shadow copies and backups makes a Ryuk infection extremely costly and almost impossible to remediate. For instance, an SLTT government paid approximately $600,000 after Ryuk encrypted nearly all the files on their network.

Ryuk uses an advanced three tier encryption model to encrypt files until a ransom is paid. It is often dropped on a system by other malware (e.g., TrickBot) or delivered by cyber threat actors (CTAs) after compromising a system via Remote Desktop Services. Once on a system, CTAs deploy Ryuk throughout the network using PowerShell, PsExec, or Group Policy, with the aim of infecting as many systems as possible.


Interested in ransomware? Check out this GovWhitePapers blog post! You can also find ransomware events on our sister site, GovEvents.


  • Author(s):
  • Cybersecurity and Infrastructure Security Agency (CISA)
  • Share this:
  • Share on Facebook
  • Share on Twitter
  • Share via Email
  • Share on LinkedIn
Security Primer – Ryuk
  • White Paper
Website:Visit Publisher Website
Publisher:Cybersecurity and Infrastructure Security Agency (CISA)
Published:January 24, 2020
Copyright:© The Center for Internet Security, Inc. (CIS®) makes the connected world a safer place for people, businesses, and governments. We are a community-driven nonprofit, responsible for the CIS Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously refine these standards to proactively safeguard against emerging threats. Our CIS Hardened Images® provide secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial (SLTT) government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), which supports the cybersecurity needs of U.S. elections offices. To learn more, visit or follow us on Twitter: @CISecurity.

Featured Content

Contact Publisher

Claim Content