Ryuk ransomware - How to remove

Ryuk ransomware is a new virus that was noticed by the Malware around mid-August 2018. It was reported that this, at first unidentified, virus in two weeks attacked 3 companies which are from the US and Germany and 1 of them being a healthcare facility, as well as other victims, in total gaining US $640,000. Ryuk ransomware was believed to be developed by the dangerous North Korean APT Lazarus Group, because of all similarities with HERMES ransomware source code. However, it is now thought that the developers are from Russia and that there are multiple teams that distribute the virus separately from each other.

In December of 2018, Ryuk caused a delay in the printing of a few major newspapers in the United States. A cloud services company DataResolution  was infected during the holidays of 2018. A Georgia County in the US has paid $400,000 in ransom to Ryuk in March of 2019.

While Ryuk is mostly developed to target banks and hospitals, it is still very dangerous to the regular computer users as well and if you are not taking safety precautions you can end up with the notorious Ryuk virus locking your precious files and demanding for the ransom in exchange. To help you avoid the infection and save your computer from the Ryuk ransomware, 2-viruses.com team has developed instructions on how to delete the virus in the best possible ways, so please keep on reading.

What is Ryuk ransomware

Ryuk ransomware is a crypto demanding virus that blocks all the personal files of the victim from being accessed, unless the user has the decryption key, which he has to ‘buy’ with the cryptocurrency from the hackers, that infected the computer in the first place. This is a typical behavior of the ransomware and can be seen in other viruses like FOX, ShutUpAndDance, PGPSnippet, Donut and etc. However, as we mentioned before Ryuk virus is not just an average crypto infection and has way much more to it than it seems from the beginning.

ryuk ransomware virus

First of all, Ryuk is considered to be the next groundbreaking virtual attack, because of the damage that is has been already done in just a couple weeks of its existence and suspected relation to the Lazarus Group, which was behind such famous attacks like HERMES (that earned Korean hackers around $60 million dollars), WannaCry, SamSam and 2014 Sony Pictures scandal. This makes developers believe that Ryuk ransomware is attempting to follow the recent BitPaymer and Emotet multi-vector attack path performing targeted attacks towards companies and government as well.

What is more same Malware after the thorough analysis shared a shocking discovery that Ryuk virus has the ability to stop 184 commands, which is unusually much for a ransomware virus. That means that no matter how confident your cyber protection is, most likely Ryuk virus could disable it in seconds. Moreover, this ransomware uses RSA-4096 and AES-256 ciphers to perform encryption and this algorithm combination is almost undecryptable, which forces corporations to make massive payments in order to get their important data back since no security tool is going to help. Also important to mention that Ryuk does not add any extension to the encrypted files. More technical details on research.checkpoint.com.

Talking about the payment Ryuk now holds the record there as well asking for the total of 50 BTC (USD  $320,000). $3.7 million is believed to have been accumulated in ransoms by Ryuk by January 2019. Additionally, there are two different ransom notes that this virus delivers, which leads to believe that it chooses the ransom note depending on the target since the requested ransom on the other note ranges between 15 BTC to 35 BTC (no more than USD $224,000) and is far shorter and more simple. Researchers also found that Ryuk developers try to disguise their received ransom payments by distributing money into the multiple crypto wallets. Another reason why companies decided to rather risk and give the Bitcoins to the hackers was probably the statement in the longer ransom note, which claimed that the final ransom amount depends on how fast you pay (each day increasing the original amount by 0.5 BTC = USD $3200), and that after 2 weeks, if the payment will not be made, all the encrypted files and decryption keys will be deleted forever.

Take a look at the two different ransom messages, which are being placed in victims’ systems.



Your business is at serious risk.
There is a significant hole in the security system of your company.
We’ve easily penetrated your network.
You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks.
They can damage all your important data just for fun.
Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256.
No one can help you to restore files without our special decoder.
Photorec, RannohDecryptor etc. repair tools
are useless and can destroy your files irreversibly.
If you want to restore your files write to emails (contacts are at the bottom of the sheet)
and attach 2-3 encrypted files
(Less than 5 Mb each, non-archived and your files should not contain valuable information
(Databases, backups, large excel sheets, etc.)).
You will receive decrypted samples and our conditions how to get the decoder.
Please don’t forget to write the name of your company in the subject of your e-mail.
You have to pay for decryption in Bitcoins.
The final price depends on how fast you write to us.
Every day of delay will cost you additional +0.5 BTC
Nothing personal just business
As soon as we get bitcoins you’ll get all your decrypted data back.
Moreover you will get instructions how to close the hole in security
and how to avoid such problems in the future
+ we will recommend you special software that makes the most problems to hackers.

Attention! One more time !

Do not rename encrypted files.
Do not try to decrypt your data using third party software.

P.S. Remember, we are not scammers.
We don`t need your files and your information.
But after 2 weeks all your files and keys will be deleted automatically.
Just send a request immediately after infection.
All data will be restored absolutely.
Your warranty – decrypted samples.

Contact emails [email protected]
or [email protected]
BTC wallet:
No system is safe

ryuk ransomware notes


All files on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted or deleted or backup disks were formatted.
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation
No decryption software is available in the public.
DO NOT RESET OR SHUTDOWN – files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
This may lead to the impossibility of recovery of the certain files.
To get info (decrypt your files) contact us at
[email protected]
[email protected]
BTC wallet:
No system is safe

Despite messages being completely different, yet it is the same Ryuk ransomware virus in both situations.

How does Ryuk ransomware spread

So far it is known that Ryuk ransomware spreads files named horrible.exe and kIUAm.exe through the Spam emails, just as most ransomware do. This makes it easy to attack companies and their employees, because hackers carefully write socially engineered messages that look like an everyday email, asking for the person to open the attachment or click on the hyperlink to access anything starting with the resume, invoice, medical records, bank details or etc.

After that malicious file is opened and the victim accidentally launches Ryuk ransomware, the ability to stop more than 180 processes comes in handy and Ryuk virus stops any antivirus or detection for a while until it settles in the registry and other important directories for the persistence and locks the files that it can find. Amongst these encrypted files can be patient records, client and payment data, passwords, logins, credentials, company secrets and much more information, which would cause a lot of problems if it would get deleted or breached. That is why it is very important to educate yourself on how to never fall into such ransomware trap.

Ryuk is also known to be distributed by banking Trojans Emotet and TrickBot, which can also infect computers through malicious spam emails. The two Trojans have the abilities to steal information, as well as download Ryuk — if they find that the target is suitable and the attack will be profitable.

How to terminate Ryuk virus

If you do become a victim of the Ryuk virus, the best first step would be to get a sophisticated malware removal tool like Spyhunter and get rid of the ransomware as soon as possible. Having such a dangerous threat in your PC can cause a lot of problems and bring even more malware than there already is. Although the Ryuk ransomware can end a lot of programs (including security tools), SpyHunter is a really powerful security product that should be able to help you if you install it and disable the internet so that Ryuk won’t have any access with the developers.

Automatic Malware removal tools

Download Spyhunter for Malware detection

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

How to remove Ryuk ransomware and restore files

If you do not attempt to try auto-removal security product, you can try our manual removal instructions which explain how to delete Ryuk ransomware without any additional program. In these instructions, we also included file recovery tools and option to restore files from Shadow Copies, yet there is a very low chance that it will work, especially because AES-RSA algorithm combination is usually undecryptable. If these techniques did not help you restore the encrypted data, then just keep the locked files stored in your PC for later, when the cybersecurity professionals will come up with the decryptor.

How to recover Ryuk ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Ryuk has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Ryuk ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Ryuk. You can check other tools here.  

Step 3. Restore Ryuk ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Ryuk tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Ryuk ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Removal guides in other languages

Leave a Reply

Your email address will not be published. Required fields are marked *