Menu
Browse

Cyber Threat Actor: Ryuk

Actor Type Location Known Incidents
 Icon
Crime Syndicate
Russia
5 incidents
Profile

The Ryuk ransomware gang, also known as Ryuk, Ryuk Gang, or Ryushi, operates as a financially motivated criminal group with activities attributed to Russia-based actors. This threat actor predominantly targets education institutions, healthcare providers, and corporate entities, leveraging ransomware to encrypt critical systems and extort payments. Incidents such as the 2020 attack on K12 Inc., a U.S. online education provider, and the 2020 disruption of Universal Health Services’ hospital networks demonstrate Ryuk’s focus on sectors where operational paralysis amplifies pressure to pay ransoms. The group employs double-extortion tactics, threatening to leak stolen data unless payments are made, as seen in the K12 breach where the organization paid to prevent disclosure. Ryuk’s operations against a Swiss vocational school in 2021 further illustrate its pattern of exploiting phishing emails to deploy ransomware, causing severe service disruptions and recovery challenges. Under the alias Ryushi, the group expanded activities to include data theft, exemplified by the 2021 scraping and attempted sale of private data from 400 million Twitter users via a patched API vulnerability, demanding $200,000 to withhold the dataset.

Ryuk’s technical operations rely on initial access through phishing campaigns delivering malicious attachments or leveraging malware such as Emotet and TrickBot to deploy ransomware payloads. The group’s ransomware encrypts files with the .ryk extension, as observed in the Universal Health Services attack, which forced hospitals to resort to manual processes amid critical system failures. Recovery complexities are compounded by reported instability in Ryuk’s decryption tools, prompting some victims to seek third-party assistance. Publicly available indicators, including criminal forum posts by Ryushi, link the actor to ransomware incidents and data brokerage schemes, though explicit affiliations with state entities or other criminal groups remain unconfirmed. The 2019 attack on Vigo County and the 2020 breach of K12 Inc. reflect Ryuk’s persistent focus on U.S. targets, while the Twitter data sale underscores adaptability in monetizing stolen information beyond traditional ransomware. Law enforcement advisories and victim disclosures consistently associate Ryuk with high-impact attacks necessitating infrastructure lockdowns, forensic investigations, and regulatory notifications.

Incidents
Attributed incidents available to members
5 incidents
Sources
Sources available to members
5 sources