Severity scale:  

Ryuk ransomware. How to remove? (Uninstall guide)

removal by Jake Doevan - - | Type: Ransomware

Ryuk is a ransomware virus that targets large organizations all over the world and delivers a polite ransom note 

Ryuk Ransomware
Ryuk ransomware is a crypto virus that locks your data to demand payment.

Ryuk is a ransomware virus[1] that has already attacked and encrypted data from several companies, data centers, and PCs. According to numerous speculations, the virus is hailing from the same family as Hermes ransomware which is attributed to an infamous Lazarus group. Once it gets into the system, Ryuk ransomware encrypts systematically selected data and makes it unavailable for the use. Additionally, it generates a RyukReadMe.txt ransom note on the desktop and all folders that can be found on the victim’s computer. It urges the victim to transfer a huge ransom (the ransom fee varies from 15 BTC to 50 BTC, depending on the amount of encrypted data) via provided Bitcoin wallet. Recently, Ryuk ransomware performed a few attacks during the Christmas time, one of the companies affected were – the cloud hosting provider.[2] According to the company that encountered the ransomware attack on Christmas Eve, virus developers used compromised account login to infect the system.

Name Ryuk
Category Ransomware
Subcategory Cryptovirus
Encryption algorithm AES-256; RSA-4096
Ransom notes RyukReadMe.txt, UNIQUE_ID_DO_NOT_REMOVE.txt
Ransom amount  15 – 50 BTC
Related files horrible.exe, kIUAm.exe
Email addresses used for contacting
Blocked services Acronis VSS Provider, Sophos-related services, Veeam backup service, MBAM service, McAfeeEngine service, etc.
Decryptable No
Elimination Download Reimage and run a full system scan. After Ryuk removal, follow the guide on how to decrypt encrypted files (at the end of the post)

Researchers are still yet to identify Ryuk ransomware's distribution means, but it is speculated that it is distributed in the form of phishing email attachment which typically presents itself as an invoice, business report, etc. Additionally, hackers most likely abuse insufficiently protected RDP[3] configurations to attack targeted companies.

To run on the computer, Ryuk malware needs to gain admin privileges. Therefore, each of the attacks needs to be carefully planned, credentials gathered, network mapped, etc. This led researchers from Check Point to believe[4] that the infection is carefully engineered by sophisticated hackers who are experienced in targeted attacks. 

Check Point experts who recently analyzed Ryuk ransomware pointed out that the malware has extreme similarities to Hermes 2.1 ransomware, which was distributed by the infamous Lazarus hackers who were formerly associated with the North Korean army.

Additionally to these huge attacks, Ryuk ransomware hit again during the Holiday 2018 when experts encountered the rise of activity on December 24 and December 27. The first campaign was held on Data Resolution when ransomware gave control of the important data to the attacker. The data center domain was accessible until the company shut down the whole network. According to Data Resolution, no user data was accessed or compromised. The main purpose of this ransomware was to hijack the network not to steal the credentials. 

On December 27 Tribune Publishing newsprint organizations were attacked by the same Ryuk ransomware when the malware disabled their ability to print papers. The incident was discovered late at night when one editor could not send finished pages to the printing service. The issue was quickly fixed and no more damage discovered on the network.

Ryuk crypto virus
Ryuk ransomware tends to attack both - regular users and high-profile organizations

Ryuk ransomware – the functionality

Before infecting the device, Ryuk ransomware shuts down 180 services and more than 40 processes that are running on the system. The malware executes taskkill and net stop command on a predetermined list of processes and services.

The Ryuk virus then uses the kIUAm.exe executable file which is launched once the victim reboots the system. Right after that, it encrypts victim’s data, e.g., business documents, reports, photos, videos, databases, and other personal information with the specific file extension using the combination of RSA-4096 and AES-256 encryption algorithms. 

Upon successful encryption, the virus generates ransom notes named RyukReadMe.txt and UNIQUE_ID_DO_NOT_REMOVE.txt. They read the following:

All files on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted or deleted or backup disks were formatted.
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation
No decryption software is available in the public.
DO NOT RESET OR SHUTDOWN – files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
This may lead to the impossibility of recovery of the certain files.
To get info (decrypt your files) contact us at
BTC wallet:
No system is safe

If the virus attacks a company or similar authority, it drops such note:

Your business is at serious risk.
There is a significant hole in the security system of your company.
We’ve easily penetrated your network.
You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks.
They can damage all your important data just for fun.
Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256.
No one can help you to restore files without our special decoder.
Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly.
If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files
(Less than 5 Mb each, non-archived and your files should not contain valuable information
(Databases, backups, large excel sheets, etc.)).
You will receive decrypted samples and our conditions how to get the decoder.
Please don’t forget to write the name of your company in the subject of your e-mail.
You have to pay for decryption in Bitcoins.
The final price depends on how fast you write to us.
Every day of delay will cost you additional +0.5 BTC
Nothing personal just business
As soon as we get bitcoins you’ll get all your decrypted data back.
Moreover you will get instructions how to close the hole in security and how to avoid such problems in the future
+ we will recommend you special software that makes the most problems to hackers.
Attention! One more time !
Do not rename encrypted files.
Do not try to decrypt your data using third party software.
P.S. Remember, we are not scammers.
We don’t need your files and your information.
But after 2 weeks all your files and keys will be deleted automatically.
Just send a request immediately after infection.
All data will be restored absolutely.
Your warranty – decrypted samples.
contact emails
BTC wallet:
No system is safe

While Ryuk ransomware removal will not give users access to the files, it will get rid of the infection itself. We strongly recommend using reputable security software like Reimage or Malwarebytes MalwarebytesCombo Cleaner which is capable of destroying all the traces of malware.

While hackers are actively trying to convince victims that paying ransom is a great idea (they even go as far claiming that they will reveal the security hole and show how to fix it), security researchers[5] advise not to. These people are from a high-profile crime organization and can not be trusted. Additionally, despite criminals' warnings, you should remove Ryuk ransomware as soon as possible.

Ransomware distributing techniques evolve from spam email to trojan malware

According to PC experts, the virus is using phishing email messages to get into the target PC systems. Usually, these messages are sent to businesses to increase the number of encrypted files and earn bigger ransoms. Beware that you need only to click on an infected email attachment to get infected with ransomware.

Such messages can also be filled with trustworthy-looking logos, addresses, and similar information which could increase chances to infect the victim with the ransomware virus. To avoid the loss of important data, you need to be extremely careful with emails from unknown senders. Make sure you doublecheck every line included and use your mouse to check the trustworthiness of links you have been sent to.

There is a theory that Emotet and TrickBot are used to distribute this ransomware. But this seems strange to deliver additional malware after a successful attack on the system. Often, the automatically launched malware like trojans gets used to spread ransomware.

Make sure to remove Ryuk ransomware from the system using professional tools

To perform Ryuk removal, make sure you do not consider using manual removal techniques. This is a serious virus which travels around with numerous components that can be found only by running a full system scan with anti-spyware. In this case, we recommend using Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes which have been approved to be powerful enough to fight against such complicated malware. These programs will not only help you get rid of infected files but will also fix your registry which is typically altered after infiltration of the virus.

Unfortunately, once you remove Ryuk ransomware from the system, your files will still be encrypted. That's because the decryption key needed to recover locked data is saved on the remote servers that belong to the crew of this ransomware. However, don't be desperate and think whether you have extra copies of your encrypted data saved on external devices. If no, use tips provided below to decrypt files encrypted by Ryuk. 

do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Ryuk virus, follow these steps:

Remove Ryuk using Safe Mode with Networking

To delete Ryuk ransomware with Safe Mode, you need to perform this procedure on your computer. Repeat the scan when on normal mode.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Ryuk

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Ryuk removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Ryuk using System Restore

To recover your system with System Restore, use the following guide:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Ryuk. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Ryuk removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Ryuk from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Ryuk, you can use several methods to restore them:

Use Data Recovery Pro to unlock lost files

Data Recovery Pro is an effective tool that can be used for recovering lost data. To use it properly, perform these steps:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Ryuk ransomware;
  • Restore them.

Try Windows Previous Versions feature to get your files back

If you had System Restore point created before the attack of ransomware happened, try this option to get your data back.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Ryuk decryptor is not available yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Ryuk and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions


Removal guides in other languages