Ransomware Research
Ryuk Ransomware
Ryuk is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on August 1, 2018, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Ryuk 2.0.
Quick Facts
- Ransomware Family
- Ryuk
- First Seen
- August 1, 2018
- Known Aliases
- Ryuk 2.0
How Ryuk Ransomware Works
Targeted Files
https://app.any.run/tasks/0c929305-1393-4139-8d66-cac1211d8dd6/ https://app.any.run/tasks/ca63b472-e1ec-4cdc-88e3-c8f865fce9c2/
File Encryption Patterns
Ryuk modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..rcrypted
..RYK
Ransom Note and Payment Demands
After encrypting files, Ryuk displays ransom notes demanding payment for file recovery:
README.PLEASE.txt
Ransom message:
notes/README.PLEASE.txt
RyukReadMe.txt
Ransom message:
notes/RyukReadMe.txt
Note locations:
EveryFolder
ReadMe.txt
Ransom message:
notes/ReadMe.txt
RyukReadMe.html
Ransom message:
notes/RyukReadMe.html
Note locations:
EveryFolder
Technical Indicators
Associated Executable Files
The following executable files are associated with Ryuk ransomware:
GukAj.exe
hHjRS.exe
oYokX.exe
ryuk-ransomware
yHHhv.exe
strikevOzfZr.data
BKSrs.exe
xeapp.exe
ttofj.exe
gmytq.exe
mqwtx.exe
FmoAc.exe
prueba123
ryuk
ryuk.exe
ryuk.bin
binary
Ryuk.exe
2018-08-17 Ryuk.exe
strikePSyw7L.data
myfile.exe
210.exe.bin
strikehRLm2D.data
eqBNr.exe
strikenfpftY.data
fivjf.exe
RyukRansomware.bin
strikez7yuai.data
strike00YtAv.date
fXDuy.exe
ffwnh.exe
vsnmf.exe
gqhiw.exe
QqJHe.exe
lhpil.exe
yguts.exe
file000_yguts.exe
hxmzl.exe
file000_hxmzl.exe
Ryuk.bin
zzzavxu.exe
tmp.exe
forgottenruins
Forg.EXE
TlMMhwH.exe
429456.exe
QVA1.exe
R1.EXE
r.exe
v19V.exe
c.exe
LithuanianicMercy
LithuanianicMercy.exe
mal032.exe
MtXtS.exe
qKYRXvh.exe
StyleDlgDemo.exe
V1.exe
YwVkXop.exe
BwNXFKD.exe
mscgpho.exe
payload.exe
15304-SAoAg.exe
ArwBONP.exe
vKnuDFF.exe
Bhlxihm.exe
SplashMfcDialog
SplashMfcDialog.EXE
v2.exe
YFYIFLj.exe
zFIcQUZ.exe
hhCMh.exe
TymKYtO.exe
HEzRYge.exe
V2.EXE
PortletReferencing
Ransomware_Ryuk.exe
CwZLyEtkWlan.exe
TJZPynhWilan.exe
RYUK Malware.exe
xMfKctPwVlan.exe
mjgeDIlzKlan.exe
RYUK-New Breed.exe
PxwztSWkilan.exe
UWNsiGUXblan.exe
CYWHpSQGylan.exe
WPQVpkpANlan.exe
ryuk-test.exe
jWYTgHfMllan.exe
KybvhMcyxlan.exe
rnwwulcthlan.exe
fx2-141_1.exe
eNkWieXdclan.exe
uNuCa.exe
DHrQU.exe
he president's Republican Party has tried to resist calls for witnesses to testif
US media outlets reported on Tuesday
sBgovWhZhlan.exe
CreateCheckboxImageListTest.exe
SehKD.exe
EcEEe.exe
vV.exe
gUXoiiNCClan.exe
LAppbdVVUlan.exe
System Manager
System Manager.exe
ekfzfotrglan.exe
lyyrrbcmblan.exe
crzujymuhlan.exe
kyrkwzrhllan.exe
Prevent
gxqygrkozlan.exe
YeSVw.exe
ezzwlupdvlan.exe
odcuuobpblan.exe
aHSIi.exe
AnEkc.exe
dDODNWNHPlan.exe
hkgjmhphdlan.exe
qKxYF.exe
xxx.exe
XFtEoUbvElan.exe
SydyXJCkalan.exe
CSDqpsVWalan.exe
CrALKPaxKlan.exe
dwLRmbYRdlan.exe
AxbBWuuZUlan.exe
iphbQSnQJlan.exe
VDICCawzAlan.exe
uXqUFjnkKlan.exe
jfWFRyJqolan.exe
oZytjnlWllan.exe
mlxBlHRvRrep.exe
jjYGxZSMGrep.exe
QXUXWJdVVlan.exe
mJflmAMavlan.exe
plMzJwBlZrep.exe
ZhPyhOFeYlan.exe
me.exe
PdTlG.exe (Ryuk.exe)
Elastio Can Help You
Don't let Ryuk ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This Ryuk ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Ryuk.
Last updated: July 30, 2025