If LockBit, BlackCat, and Cl0p define the modern ransomware era, Ryuk is the operation that built the runway. Between 2018 and 2020, Ryuk’s operators demonstrated that targeted, hand-selected enterprise victims would pay ransoms two and three orders of magnitude larger than the spam-driven ransomware of the previous decade. The lessons learned from Ryuk became the playbook for Conti, and through Conti, for almost every serious operator that followed.
Origins and lineage
Ryuk first appeared in August 2018. Initial reporting tied it cosmetically to Hermes, a North Korean Lazarus Group ransomware used a year earlier in the FEIB attack against Taiwan’s Far Eastern International Bank. That attribution did not hold up. Subsequent analysis showed that Hermes had simply been sold or leaked into the cybercrime market, and Ryuk was a substantial fork operated by a Russian-speaking crew tracked variously as Wizard Spider, UNC1878, or, in CrowdStrike’s taxonomy, Wizard Spider. The same crew was responsible for TrickBot, the prolific banking-trojan-turned-malware-loader that became Ryuk’s primary distribution channel.
The group’s name conventions and trolling were idiosyncratic. "Ryuk" is the name of a death god in the manga Death Note. Ransom notes were brief and unusually polite, with file extensions and email addresses changing across campaigns. There was no leak site at first; double extortion was not yet a standard tactic.
The big-game hunting model
Ryuk’s central innovation was operational rather than technical. Where its predecessors mass-distributed lockers through spam and exploit kits in the hope of catching a few paying users, Ryuk picked targets carefully. The flow was:
- A wide TrickBot or Emotet infection campaign would land malware on tens of thousands of machines.
- Operators would triage infected hosts and identify those belonging to enterprises with deep pockets and intolerance for downtime.
- Those infections would be escalated, often by handing off to a second loader, BazarLoader, to hands-on-keyboard intrusions.
- Cobalt Strike would be deployed, lateral movement performed, domain admin obtained, backups destroyed.
- Ryuk would be detonated, often during a holiday weekend, with ransom demands ranging from hundreds of thousands to millions of dollars.
This pipeline turned commodity infections into bespoke enterprise extortion, and it became the canonical "big-game hunting" model.
Notable victims
Ryuk’s victim list is overwhelmingly mid-to-large US-based enterprises and US public-sector entities:
- Tribune Publishing (December 2018), which disrupted the production of major US newspapers including the Los Angeles Times.
- Multiple US municipalities, school districts, and county governments.
- Universal Health Services (September 2020), one of the largest US hospital chains, in an attack that disrupted patient care across hundreds of facilities.
- EMCOR, Pemex, Pitney Bowes, and others.
- Numerous US healthcare providers in the second half of 2020, prompting an unusually direct joint advisory from CISA, the FBI, and HHS warning of "an increased and imminent cybercrime threat" to the US healthcare sector.
By 2020, Ryuk was estimated to have produced more than $150 million in ransom revenue, with chain analytics firms tracing the proceeds through a small set of frequently used cryptocurrency exchanges and OTC desks tied to laundering networks in the post-Soviet space.
The technology
The Ryuk locker was capable but not exotic. It used AES-256 to encrypt files, with each per-file key wrapped in an RSA-2048 public key embedded in the binary. It targeted a large list of file extensions, killed common backup and database services, deleted shadow copies, and propagated within networks through SMB and Windows Management Instrumentation. Its real strength was the operational maturity of the team running it, not novelty in the encryption.
A persistent characteristic across Ryuk campaigns was a long dwell time. Wizard Spider operators frequently spent weeks inside victim networks before triggering encryption, mapping infrastructure, harvesting credentials, identifying critical systems, ensuring backups would be unreachable.
The transition to Conti
By mid-2020 the Wizard Spider crew had begun shifting their operations to a new brand: Conti. Conti retained the same operators, much of the same tooling, and the same target preferences, but added an affiliate model, a leak site, double extortion, and a more polished public profile. For roughly six months Ryuk and Conti ran in parallel; by mid-2021 Ryuk had largely been retired in favour of its successor.
Some Ryuk-branded activity continued sporadically through late 2021, mostly tail-end attacks by affiliates still using the older toolkit. The brand was effectively dead by the time the ContiLeaks of February 2022 exposed the entire enterprise.
Legacy
Ryuk’s importance is often underestimated because it preceded the leak-site era and never had the public swagger of REvil or LockBit. But three things make it the foundational big-game hunting operation:
- It proved that million-dollar ransoms were achievable at scale, given the right victim selection and the right amount of dwell time.
- It established the TrickBot → BazarLoader → Cobalt Strike → ransomware kill chain that dozens of subsequent operations would copy almost line-for-line.
- It produced the human capital, operators, intruders, negotiators, that staffed Conti and, through Conti, every successor brand from Black Basta and Royal to BlackByte and Karakurt.
The Ryuk brand is gone. The people behind it are still active, in operations whose names you have heard recently. That is the truest measure of how influential a ransomware operation can be.