Ryuk (ransomware virus)

2025: Member of the hacker group Ryuk, which stole $100 million with ransomware viruses, arrested in Ukraine and extradited to the United States

On June 18, 2025, the Prosecutor General's Office of Ukraine announced the arrest of an alleged member of a cybercriminal group involved in the spread of the Ryuk ransomware virus. The suspect, whose name has not been disclosed, has been extradited to the United States, where he will be charged with cybercrime.

A 33-year-old man, as noted by The Record, was arrested in Kyiv in April 2025 at the request of US law enforcement agencies. It is alleged that the detainee, being a member of the hacker group Ryuk, was looking for vulnerabilities in the corporate networks of the victim companies. Subsequently, these "holes" were used to introduce malware. The main goal of the attackers was to obtain financial benefits. According to the investigation, the group organized a total of more than 2,400 ransomware attacks in several countries. The total amount of damage exceeds $100 million.

𝓲

Фото: therecord.media

The identity of the man was established as a result of a large-scale operation in late 2023, which involved law enforcement agencies in seven countries, including the United States, and Germany France. In Netherlands total, law enforcement officers conducted more than 80 authorized searches on the territory of Ukraine and seized crypto assets worth about $600 thousand, 9 elite cars and 24 land plots with a total area of ​ ​ almost 12 hectares. The court seized this property.

As noted, the attackers used the malicious software they developed, including viruses with information encryption functions, for cyber attacks on the world's leading industrial enterprises, critical infrastructure facilities, etc. The joint operation was directed against hackers associated with Ryuk, LockerGoga, MegaCortex, HIVE and Dharma.^[1]

2020: Ryuk attack on Evraz

On March 6, 2010, it became known that EVRAZ was the victim of a ransomware attack known as Ryuk. Reportedly, the ransomware managed to stop the work of the company's branches in North America. Read more here.

2019: Hackers demand $14m to unlock 110 nursing home systems in US

At the end of November 2019, hackers demanded $14 million in cryptocurrency to unlock the systems of 110 nursing homes in the United States.

IT company Virtual Care Provider Inc. (VCPI) confirmed that hackers used the Ryuk ransomware and encrypted all customer data. The company supports about 80,000 computers and servers serving medical facilities in 45 U.S. states.

Virtual Care Provider Inc. (VCPI) confirmed that hackers used Ryuk ransomware and encrypted all customer data

Ryuk is a particularly dangerous strain of malware ON that captures government organizations and other valuable objects. It encrypts files and demands a ransom for unlocking. VCPI CEO Karen Christianson noted that the attack affected "almost all" of the company's main offerings, including access to, Internet billing, phones, email and access to customer records.

In some facilities, nurses cannot order medication. Another institution cannot submit bills to the insurance company, and without paying the bills it will simply close. Many older people are ready to refuse our services and just wait for us to return their personal data, but we cannot do this either, "Christianson explained. VCPI's own payroll systems have also been blocked by the virus, and workers are now wondering when they will be paid.

Research firm Hold Security showed that initially a cyber attack on VCPI could have occurred back in September 2018. The Hold Security founder also clarified that the attack VCPI eventually faced was actually preventable. The CEO of VCPI has pledged to document everything that has happened to prevent similar disasters in the future.

Many companies are willing to pay ransom to ransomware to restore access to critical files. However, VCPI is reportedly unable to afford to pay the ransom, so the situation is only getting worse.^[2]

Notes