Ryuk: What is this ransomware and how to remove it?

Cybersecurity experts call ransomware the biggest and most devastating information technology problem of our time and they are all too common these days. Cybercriminals will attack any consumer and any business. Ransomware affects everybody from your personal computer at your house to businesses and of course government entities. Currently, there is one specific group that is based basically on a rampage. The group is called the RYUK. This group is equipped with very advanced technology and they use social engineering to access networks. Other hackers and ransomware groups typically don’t really pick and choose the victims but RYUK targets by choosing very specific people and we are not talking about only people but businesses and government entities.


Speaking of government entities, the City of Stuart, for instance, was recently brought down by ransomware RYUK and according to the reports, it is still recovering from RYUK attack. This group started its rampage back in August of 2008. Initially, they started only target to businesses but for the last a few months they have actually switched their target. They’re not just targeting businesses but government entities as well and expanding their network. So what are simple and primary things you can do to protect yourself and secure your belongings? To begin with:

How to protect yourself from ransomware like RYUK?

Think before you click – This group uses social engineering tactics and in most cases, they’re using email infections so when you get any suspicious email don’t click on it rushingly.

Invest in the education of IT people – If you’re a business owner, invest not just in technology but invest in the education of your IT people because essentially that is the key to know the new ransomware and threat like RYUK.

Invest in software – The third part would be to of course invest in software and hardware to protect the network. You have to make sure that you have a backup such as a cloud and other hardware backups. This doesn’t mean that once you are moved to the cloud you are going to be protected.

How to Remove Ryuk Ransomware Virus from Your System

Still, there are a lot of chances that you could be affected by the RYUK virus. There are some other hackers and malware that use name RYUK to disguise them and try to show that they are the bigger threat. So here we are going to tell you how to remove the RYUK virus from your computer and the system and also how to restore files after removing RYUK.

Before beginning the removal process of this ransomware infection, you have to create a safer environment for your computer by booting into safe mode.

  • In order to enable Safe Mode, press simultaneously windows button + R on your keyboard.
  • Now from the pop-up window type “MSConfig” and click OK.
  • From there go over to the “Boot Tab” and from the boot option click on “Safe Boot” and under it, select “Network”
  • Now apply it and click OK then click on the restart to reset your PC

(You can revert the setting back to normal by repeating the same procedure but on ticking safe boot)

  • If you have done this successfully there should be safe mode written on the corners of your screen. Now it is time to clean up any settings and errors in the Windows registry editor modified by the RYUK virus.

To do that we are going to use the following script:

subinacl /subkeyreg HKEY_LOCAL_MACHINE /setowner=Administrators

subinacl /subkeyreg HKEY_CURRENT_USER /setowner=Administrators

subinacl /subkeyreg HKEY_CLASSES_ROOT /setowner=Administrators

subinacl /subdirectories %SystemDrive% /setowner=Administrators

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f

subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f

subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f

subinacl /subdirectories %SystemDrive% /grant=system=f

This script will be usable in the process. We are going to install a program called Windows Resource Kits. Download it from the given link.

  • Open the setup, click on the “next”, accept the agreement and install it.
  • After the installation is completed, copy the script give above on a text file and then choose a place to save it. On the file name, type anything that you can easily remember. For example “FIX” and then add.BAT (FIX.BAT) after the name. 
  • To specify the file type click on the drop-down menu where it says “Save as type” and choose “all files”. After this, click on save.
  • After saving the file, copy it to your Windows drive partition. C => Program Files => Windows Resource Kit => Tools
  • After copying the file, it is time to start it from the Windows command prompt. To do this, open the run window again by searching for the letters CMD. When the command prompt appears, select “run it as an administrator”.
  • Now in CMD, type “CD C:\program files(x86)\windows resource kits\tool to open it.
  • Then type Fix.bat and the script should begin scanning for registry entries you.

But keep in mind that while this tool fixes registered errors; it may not remove newly added registry values by this virus. For the complete removal, you need the power of an advanced anti-malware program. We have chosen a tool named Spyhunter which has the capability of thoroughly scanning and removing all malicious objects related to malware, adware, and other unwanted software. To begin a scan go to start a new scan and then click on the scan computer Now button. A couple of minutes later, after the scan has been completed you can eliminate all malicious files that have been detected by clicking on the fix threats button.

If there’s no decryption for this ransomware we have several alternative suggestions on how to restore your encrypted files. Let’s begin:

  1. One alternative method is to use data recovery programs to scan your hard drive sectors. There are many data recovery programs out there and they all work in the same principle. First, scanning your drive sectors from missing files and then, compiling those missing files to restore them.
  2. Another method is to try using a program called “shadow Explorer” which you can download for free online. It looks for any shadow volume copies on your computer if you have set up file history and have enabled it. Usually, this option works 100% but most ransomware viruses tend to delete shadow copies via an administrative command.
  3. The final method is to take advantage of third-party descriptors. This may be useful if your malware uses the same encryption algorithm and mode as a virus that is decrypted. However, make sure to not test it on the original encrypted files and make copies instead because the third party decrypt errs may in some scenarios damage the encrypted files permanently.

So this is how you can detect RYUK or any other ransomware viruses in your system and then you can remove them.

Rate this post

Leave a Comment