Infected with Ryuk Ransomware? Need to decrypt your files?

What is Ryuk Ransomware

Ryuk is a cryptovirus created by unknown scammers and targeted on English-speaking countries. It was most active in August 2018. Ruyk Ransomware is similar to other ransomware threats, for example, Scarab Ransomware. It encrypts most user files using the AES crypto algorithm. Also, Ryuk changes the file extension to .Ryuk or other suffixes. After that, the infected files become a reason for ransom. After encryption, the cryptovirus creates a special READ_IT.txt file were scammers offer decryption for a money (in BTC). In fact, this “offer” is equal to “demand”.

The first version of Ryuk Ransomware has the next ransom note:

All files on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted or deleted or backup disks were formatted.
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation
No decryption software is available in the public.
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
This may lead to the impossibility of recovery of the certain files.
To get info (decrypt your files) contact us at
MelisaPeterman@protonmail.com
or
MelisaPeterman@tutanota.com
BTC wallet:
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Ryuk
No system is safe

The second, more advanced, version of Ryuk Ransomware has following ransom notes:

Gentlemen!
Your business is at serious risk.
There is a significant hole in the security system of your company.
We've easily penetrated your network.
You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks.
They can damage all your important data just for fun.
Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256.
No one can help you to restore files without our special decoder.
Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly.
If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files
(Less than 5 Mb each, non-archived and your files should not contain valuable information
(Databases, backups, large excel sheets, etc.)).
You will receive decrypted samples and our conditions how to get the decoder.
Please don't forget to write the name of your company in the subject of your e-mail.
You have to pay for decryption in Bitcoins.
The final price depends on how fast you write to us.
Every day of delay will cost you additional +0.5 BTC
Nothing personal just business
As soon as we get bitcoins you'll get all your decrypted data back.
Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future
+ we will recommend you special software that makes the most problems to hackers.
Attention! One more time !
Do not rename encrypted files.
Do not try to decrypt your data using third party software.
P.S. Remember, we are not scammers.
We don't need your files and your information.
But after 2 weeks all your files and keys will be deleted automatically.
Just send a request immediately after infection.
All data will be restored absolutely.
Your warranty - decrypted samples.
contact emails
eliasmarco@tutanota.com
or
CamdenScott@protonmail.com
BTC wallet:
15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj
No system is safe

Attackers indicated a contact email and encouraged users to contact them for further instructions. This is a trap. Scammers will not return user files to their original state, their only goal is to get your money. Read our guide to remove Ryuk and decrypt encrypted files.

Update: Use following service to identify the version and type of ransomware you were attacked by: ID Ransomware. If you want to decrypt your files, please follow our instruction below or, if you have any difficulties, please contact us: submit@securitystronghold.com. We really can help to decrypt your files.

How Ryuk infected your PC

The most vulnerable place of user computers is unprotected network settings because users either do not use antivirus software or use free versions. Also, Ryuk can penetrate as an attachment in spam mailings or as a false update of programs and utilities. However, you need to get rid of Ryuk and restore your files using our recommendations.

First of all, don’t panic. Follow these easy steps below.

1. Start your computer in Safe Mode with networking. To do that, restart your computer before your system starts hit F8 several times. This will stop system from loading and will show Advanced boot options screen. Choose Safe mode with networking option from the options list using up and down arrows on your keyboard and hit Enter.
2. Log in to the system infected with the Ryuk virus. Launch your Internet browser and download a reliable anti-malware program and start a full system scan. Once the scan is complete, review scan results and remove all entries detected.

Recommended Solution:

Norton is a powerful removal tool. It can remove all instances of newest viruses, similar to Ryuk – files, folders, registry keys.

 

Download Norton*Trial version of Norton provides detection of computer viruses for FREE. To remove malware, you have to purchase the full version of Norton.

You may find more detailed information about antivirus products in our article – Top 5 Antivirus Software for Windows

Restore your files using shadow copies

1. Download and run Stellar Data Recovery.
2. Select type of files you want to restore and click Next.
3. Select the drive and folder where your files are located and date that you want to restore them from and press Scan.
4. Once the scanning process is done, click Recover to restore your files.

Download Stellar Data Recovery

Step 2: Remove following files and folders of Ryuk:

Related connections or other entries:

No information

Related files:

RyukReadMe.txt
UNIQUE_ID_DO_NOT_REMOVE.txt
sys
PUBLIC
kIUAm.exe

How to decrypt files infected by Ryuk?

You can try to use manual methods to restore and decrypt your files.

Decrypt files manually

Restore the system using System Restore

Although latest versions of Ryuk remove system restore files, this method may help you partially restore your files. Give it a try and use standard System Restore to revive your data.

1. Initiate the search for ‘system restore‘
2. Click on the result
3. Choose the date before the infection appearance
4. Follow the on-screen instructions

Roll the files back to the previous version

Previous versions can be copies of files and folders created by Windows Backup (if it is active) or copies of files and folders created by System Restore. You can use this feature to restore files and folders that you accidentally modified or deleted, or that were damaged. This feature is available in Windows 7 and later versions.

1. Right-click the file and choose Properties
2. Open the Previous Version tab
3. Select the latest version and click Copy
4. Click Restore

Protect your computer from ransomware

Most modern antiviruses can protect your PC from ransomware and crypto-trojans, but thousands of people still get infected. There are several programs that use different approach t protect from ransomware and lockers. One of the best is HitmanPro.Alert with CryptoGuard. You may already know HitmanPro as famous cloud-based anti-malware scanner. Check out ultimate active protection software from SurfRight.

Download HitmanPro.Alert with CryptoGuard

Written by Tim Kas