MS-ISAC Ryuk Ransomware Primer Educates States About this Emerging Cyber security Threat

MS-ISAC Ryuk Ransomware Primer Educates States About this Emerging Cyber security Threat

The Center for Internet Security (CIS®), which operates the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), has created its first educational primer to alert the states about Ryuk Ransomware. Ransomware was one of the top cybersecurity threats in 2019, and it continues to be an evolving threat in 2020, impacting both government and private organizations. What follows is a snapshot of how ransomware works, best practices to avoid being a victim of ransomware, and recovery recommendations for government and other organizations that are impacted with a link to a more in-depth report.

Consistent with our mission, CIS will be releasing occasional educational briefs or primers on the cybersecurity threats we’re seeing impacting our members, and the public at large, throughout the year, starting with Ryuk ransomware. CIS is committed to supporting the cybersecurity posture of all organizations, which is why we’re making this information available and accessible for all organizations as a free download from our website.


Ryuk Primer Highlights

In  2019, Ryuk was one of the most impactful and most reported ransomware variants in the U.S. State, Local, Tribal, and Territorial (SLTT) government sector.

1. Ryuk is typically dropped on a software system by other malware (e.g., TrickBot). Trickbot is a modular banking Trojan that targets sensitive information and acts as a dropper for other malware. Since June 2019, the MS-ISAC is observing an increasingly close relationship between initial TrickBot infections and eventual Ryuk ransomware attacks.

2. Once on a system, cyber threat actors (CTAs) deploy Ryuk throughout the network with the aim of infecting as many systems as possible.

3. Once the malware is deployed, it targets backup files and begins the encryption process.

4. Ryuk’s ability to delete all types of backups makes this ransomware Ryuk infection extremely costly, and almost impossible to fix.

5. The only way to successfully remediate a Ryuk infection is to restore systems from known good backup files that have been stored offline. This underscores that maintaining backups should be a priority for all organizations in order to survive ransomware attacks.

6. SLTT governments should adhere to best practices, including those described in the CIS Controls® (, which are part of CIS SecureSuite® (



For more in-depth information, please visit the MS-ISAC website at Security Primer Ryuk.

Background on CIS

The Center for Internet Security, Inc. (CIS®) makes the connected world a safer place for people, businesses, and governments. We are a community-driven nonprofit, responsible for the CIS Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously refine these standards to proactively safeguard against emerging threats. Our CIS Hardened Images® provides secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial (SLTT) government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), which supports the cybersecurity needs of U.S. elections offices. To learn more, visit or follow us on Twitter: @CISecurity.