Researchers paint different portraits of hackers behind Ryuk ransomware

Analysts poring over Ryuk are coming to different conclusions, highlighting the subjective side of cyberthreat studies.

Analysts poring over the Ryuk ransomware are coming to different conclusions about the hackers responsible and the victims they’re targeting, highlighting the subjective side of cyberthreat studies.

One thing, however, is clear: the infectious malware pays.

Newly published research from McAfee and Coveware finds that the average ransom payment involving Ryuk is more than 10 times that of other types of ransomware. Some victims of Ryuk “either lost their data or took on staggering financial risk to pay the ransom,” the researchers wrote. In some cases, Ryuk’s purveyors took big payouts of over 100 bitcoin (nearly $400,000 at current rates), in others they were satisfied with squeezing smaller sums from the victims, the McAfee-Coveware report said.

The research follows a January report from another company, CrowdStrike, saying that hackers had earned $3.7 million from Ryuk since the ransomware emerged in August. Victims have reportedly included a North Carolina water utility and multiple U.S. newspapers.


Both reports conclude that the attackers behind Ryuk are Eastern European or Russian, refuting early speculation that North Koreans could be responsible. But the two analyses, which dissect Ryuk’s code, differ on the scope of those responsible, as well as the victims the ransomware was meant to target.

McAfee and Coveware say that Ryuk is not designed to strike large corporate environments and that more than one criminal group appears to be deploying it, while CrowdStrike found Ryuk to be the work of a single hacking outfit that had been targeting big organizations.

Divergent opinions from researchers over the makeup of hacking groups is common. Despite the enhanced visibility that powerful companies bring to network activity, the picture of who is behind the deployment of malware can be murky. Even so, the iterative process that analysts take in tracking threat groups can lead to a more complete picture.

“We realize that only by collaboration can we piece the different parts of the Ryuk puzzle together,” the McAfee and Coveware researchers wrote.

Their report analyzed the ransom notes left by hackers deploying Ryuk. In one reply to a victim, they used a French expression that was famously employed by Soviet revolutionary Vladimir Lenin: “A la guerre, comme à la guerre.” The aphorism, which can be translated as, “in hard times, make do with what you have,” neatly sums up the ruthless philosophy of Ryuk’s operators.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts