How to Recover Data Encrypted by Ryuk Ransomware


Ransomware attacks are growing at an annual rate of 350%!

First appeared in August 2018, the Ryuk Ransomware aimed to attack businesses and large enterprises across the globe. Researchers at Crowdstrike estimate that Ryuk Ransomware, since its inception, has extorted more than 705 Bitcoins worth over $3.7 million as of Jan 2019. In the first two months, the Ryuk Ransomware extorted over $640,000 in ransom.

What is Ryuk Ransomware?

Ryuk derives its name from a fictional character in a popular Japanese anime series called ‘Death Note’; perfect sobriquet for a ransomware that’s used for tailored attacks and encryption of critical assets on a targeted network. It’s harder to track, as the ransomware isn’t widely distributed.

Ryuk shares its DNA with Hermes—another infamous ransomware that attacked the Far Eastern International bank (FEIB) in Taiwan and stole a hefty $60 million that was later retrieved.

How Ryuk Ransomware Spreads and Works

A banking Trojan—TrickBot is used to systematically spread the Ryuk ransomware. The same Trojan was used to spread the infamous WannaCry Ransomware.

The primary source of Ryuk ransomware spread is via emails and attachments, downloads from untrusted and insecure web sources, and phishing. The attack can also be carried out through an insecure remote desktop connection.

Ryuk Ransomware
Example of a phishing mail Source: FireEye

Once Ryuk enters a network, it starts spreading into the systems connected to the network and encrypts the files. Following are the ways by which Ryuk Ransomware encrypts the data on a targeted network, server, or PC.

  • File encryption using RSA-2048 and AES-256.
  • Stores encryption keys in the executable by using the proprietary Microsoft SIMPLEBLOB format.
  • Encrypts system or network mounted devices and remote hosts.
  • Uses a file marker to mark or check if a file has been encrypted successfully.

Ryuk Ransomware Ransom Note

Ryuk Ransomware note
Figure: Ryuk Ransomware Ransom Note

Steps to Recover Data Lost Due to Ryuk Ransomware

While the ransom note from Ryuk Ransomware states that there is no way to recover the data, you may still try recovering the data by using Stellar Data Recovery Professional. Here’s how,

Free download
  • Connect the hard drive infected with Ryuk Ransomware to the PC and launch the program.
  • Select ‘All Data’ and then click ‘Next.’
  • Select the connected hard drive volume listed under ‘Connected Drives’ and turn on the ‘Deep Scan’ toggle switch at the bottom left.
  • Click ‘Scan’ and wait for the scan to complete. The software scans for the files removed and encrypted by the Ryuk Ransomware, based on file signatures.
  • After the scan, expand the folder tree in the left pane to locate necessary files. You may also use the search bar to find files.
  • Select the files you wish to recover and click ‘Recover.’
  • Click ‘Browse’ and choose a save location on the PC or an external drive to store the recovered files.
  • Click ‘Start Saving’.

After saving the files, try to access them. If the file opens, you have successfully recovered the data.

Watch the video below:

Tips to Safeguard PC and Networks against Ransomware and Data Loss

Further, you can follow these essential tips to prevent future Ransomware attacks and data loss:



Data recovery from a ransomware-infected PC or storage media isn’t guaranteed. Every ransomware works differently. In a nutshell, they either remove the existing file and create an encrypted copy or encrypt the original data itself by overwriting it. Stellar Data Recovery Professional may restore the lost files – in case the ransomware removed the original file and created a new encrypted copy – with the help of Deep Scan function. Deep scanning performs a thorough file signature-based scan on each sector on the drive and find the traces of recoverable data. Deep Scan may help recover data from a ransomware infected storage media or Windows PC. To prevent further data loss due to ransomware attacks, follow the tips shared in this post.