Ryuk ransomware develops worm-like capabilities, France warns

The latest Ryuk disclosure is not welcome news for hospitals already struggling to fend off ransomware.
malware, network, ransomware, virus, FIN7
(Getty Images)

A new sample of Ryuk ransomware appears to have worm-like capabilities, according to an analysis from the French National Agency for the Security of Information Systems (ANSSI), France’s national cybersecurity agency.

With such worm-like self-replicating capabilities, Ryuk, one of the most prolific strains of ransomware in the world, can spread from machine to machine without any human interaction. The development presents only another challenge for security-minded researchers and law enforcement authorities already trying to grapple with the scourge of ransomware attacks pummeling international networks.

Ryuk hackers have previously leveraged other methods to spread through the networks they target, and have not previously had the ability to move laterally in a network, according to previous research from the U.K.’s National Cyber Security Centre. ANSSI found the sample with the new capability earlier this year, the analysis states.

The disclosure of the discovery comes weeks after law enforcement entities from multiple countries tackled and took control of Emotet, the botnet that historically has been involved in deploying Ryuk ransomware against targets. 


The announcement adds to a growing body of research about Ryuk’s capabilities, which were first detected in 2018, but which may be of particular interest to the medical sector. Ryuk has been responsible for approximately 75% of ransomware attacks in the health care sector, which has been particularly hard hit by ransomware attacks during the pandemic, according to an October analysis from security firm Check Point.

The FBI and the departments of Homeland Security and Health and Human Services took note of Ryuk in October, warning in an alert of an “imminent” ransomware threat to hospitals. The alert warned hospitals to be particularly wary of attacks involving Ryuk ransomware and a few other notable strains.

It’s not clear from the ANSSI analysis when the worm-like update first appeared. The functionality stems from scheduled tasks that allow Ryuk to spread itself through victim systems, according to ANSSI. According to previous analysis from U.S. federal agencies, Ryuk’s operators “have been known to use scheduled tasks and service creation” before.

Curiously, the Russian-speaking operators behind Ryuk appear to have stopped all deployments of Ryuk between March and September of last year, according to CrowdStrike. The hackers, sometimes referred to as Wizard Spider, the moniker CrowdStrike developed for the hacking team, likely paused their operations to reorganize their operations, CrowdStrike assessed.

At the time, however, CrowdStrike noted that Wizard Spider hadn’t appeared to introduce new functionality to Ryuk.


Ryuk’s operators have previously introduced updates to the ransomware strain — two years ago the hackers added ways for the malware to target hosts on a local area network, according to CrowdStrike. Ryuk has also gained some code obfuscation functionality over the years.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts