Uninstall Ryuk virus (Virus Removal Tutorial) - Jan 2019 updated

Ryuk virus Removal Guide

Description of Ryuk ransomware

Ryuk ransomware – a file locking threat which has similarities with Hermes virus

Ryuk virusRyuk virus is a dangerous ransomware infection which has already infected numerous companies worldwide

Ryuk ransomware is a data encrypting computer virus which appears to be related to Hermes ransomware. This lets us speculate that both of these viruses come from the same developer. Even though this dangerous cyber threat uses specific encryption algorithms such as RSA-4096 and AES-256 to lock up files, no extension is added to the data. However, after the encryption process, Ryuk virus drops a ransom note named RyukReadMe.txt and places a copy of it in every file that is found. Some difficult and hardly identifiable keys are required for the decryption of locked files, so the crooks urge a particular ransom in exchange of the decryption tool. However, if the victim is late to pay the price, each delayed day a 0.5 BTC amount is added to the ransom.

Name Ryuk
Type Ransomware
Sub-type Malware
Encryption algorithms RSA-4096, AES-256
Ransom message RyukReadMe.txt
Ransom Needs to be paid in BTC. With each delayed day an amount of 0.5 BTC is added to the ransom price
Email addresses eliasmarco@tutanota.com, CamdenScott@protonmail.com
Relations The virus seems familiar with Hermes ransomware
Deletion Detect virus-related objects with FortectIntego and get rid of them ASAP

Ryuk ransomware is an infamous computer virus which has already infected numerous companies and organizations worldwide. This virus can sneak into the targeted system by using stealth techniques, for example, ransomware can appear in the system through a rogue email message or its attached file/link. Furthermore, ransomware such as Ryuk virus can also infiltrate the computer through third-party web pages and their infected hyperlinks.

Once the RyukReadMe.txt ransom message is displayed, the crooks try to convince their victims that nobody is capable of helping them, except the developers themselves. Cybercriminals threaten gullible people that no other tool can be helpful and might cause only more damage. However, note that you should strongly consider all options no matter what the crooks say or promise you. There is a big chance to get scammed after the price transferring. Ryuk ransomware note:


Your business is at serious risk.
There is a significant hole in the security system of your company.
We’ve easily penetrated your network.
You should thank the Lord for being hacked by serious people not some stupid schoolboys or dangerous punks.
They can damage all your important data just for fun.

Now your files are crypted with the strongest millitary algorithms RSA4096 and AES-256.
No one can help you to restore files without our special decoder.

Photorec, RannohDecryptor etc. repair tools
are useless and can destroy your files irreversibly.

If you want to restore your files write to emails (contacts are at the bottom of the sheet)
and attach 2-3 encrypted files
(Less than 5 Mb each, non-archived and your files should not contain valuable information
(Databases, backups, large excel sheets, etc.)).
You will receive decrypted samples and our conditions how to get the decoder.
Please don’t forget to write the name of your company in the subject of your e-mail.

You have to pay for decryption in Bitcoins.
The final price depends on how fast you write to us.
Every day of delay will cost you additional +0.5 BTC
Nothing personal just business

As soon as we get bitcoins you’ll get all your decrypted data back.
Moreover you will get instructions how to close the hole in security
and how to avoid such problems in the future
+ we will recommend you special software that makes the most problems to hackers.

Attention! One more time !

Do not rename encrypted files.
Do not try to decrypt your data using third party software.

P.S. Remember, we are not scammers.
We don`t need your files and your information.
But after 2 weeks all your files and keys will be deleted automatically.
Just send a request immediately after infection.
All data will be restored absolutely.
Your warranty – decrypted samples.

contact emails

BTC wallet:


No system is safe

As you can see, Ryuk ransomware offers communication via two given email addresses: eliasmarco@tutanota.com
or CamdenScott@protonmail.com. The crooks also provide their Bitcoin wallet address to which the ransom needs to be transferred: 15RLWdVnY5n1n7mTvU1zjg67wt86dhYqNj. Furthermore, crooks try to scare users that their files will be permanently terminated after a time period of 2 weeks.

However, we suggest staying away from any contact with the crooks and avoiding money losses. What you should do is remove Ryuk virus from your computer system automatically. Additionally, note that you need to find all harmful objects in the system if you want to get rid of the infection permanently. We offer to scan your entire computer system with a reputable and expert-tested anti-malware tool such as FortectIntego. Feel free to use your own liked programs also.

Ryuk ransomware removal needs to be performed as soon as you spot encrypted files or the ransom note. Keeping such cyber threats in your computer system will bring only more harm. Some file locking threats are capable of eliminating Shadow Copies of encrypted documents, others might inject serious malware such as Trojan horses, and so on. Protect yourself from these possibilities and get rid of the virus ASAP. After that, check out data recovery methods which are provided below the article.

Ryuk ransomware virusRyuk ransomware is a malicious computer infection which appears to be related to the infamous Hermes virus

Ransomware infections distribute in various stealth ways

If you are infected with a ransomware virus, there are several ways where the computer infection might have come from. The most popular ransomware distribution techniques are:

  • spam messages
  • rogue third-party downloading sources
  • infected software

To avoid these dangerous cryptoviruses, you should always be cautious while browsing the web or while performing any type of computing work. We suggest deleting all suspicious-looking email messages that you receive if you cannot identify the sender. Crooks often drop hazardous payload straight to random users’ inbox or spam sections.

Moreover, be careful while downloading your software from the Internet. Avoid sites which are provided by secondary installers. Web pages such as Torrents, eMule, or The Pirate Bay can distribute malware easily. Furthermore, install reliable antivirus protection which will take care of your computer’s safety automatically.

Ryuk ransomwareRyuk ransomware - a cryptovirus which uses RSA-4096 and AES-256 ciphers to encrypt documents on the infected computer system

Get rid of Ryuk ransomware with antimalware software

Note that you can remove Ryuk virus only automatically as manual elimination might bring only more harm and damage your system’s components. For the deletion process, we recommend selecting a reputable computer fixing tool, otherwise, you might not reach wanted results. Additionally, detect all malware-laden objects with programs such as FortectIntego, SpyHunter 5Combo Cleaner, or Malwarebytes.

After proceeding with the Ryuk ransomware removal, you can start thinking of ways how to recover your encrypted files. Below this article, you can find some data recovery methods that we have provided. Even though there is no 100% guarantee that all of them will be successful, it is definitely a better option than paying the cybercriminals and letting them benefit from you.

try it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Security Tools
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Security Tools
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Ryuk virus. Follow these steps

In-depth guide for the Ryuk elimination

You can disable the ransomware virus by activating the Safe Mode with Networking function on your computer. Use these instructions for help:

Important! →
The elimination guide can appear too difficult if you are not tech-savvy. It requires some knowledge of computer processes since it includes system changes that need to be performed correctly. You need to take steps carefully and follow the guide avoiding any issues created due to improper setting changes. Automatic methods might suit you better if you find the guide too difficult.

Step 1. Launch Safe Mode with Networking

Safe Mode environment offers better results of manual virus removal

Windows 7 / Vista / XP
  1. Go to Start.
  2. Choose Shutdown, then Restart, and OK.
  3. When your computer boots, start pressing the F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) a few times until you see the Advanced Boot Options window.
  4. Select Safe Mode with Networking from the list.
    Safe Mode option
Windows 10 / Windows 8
  1. Right-click the Start button and choose Settings.
    Settings of the system
  2. Scroll down to find Update & Security.
    Update & security section in settings
  3. On the left, pick Recovery.
  4. Scroll to find Advanced Startup section.
  5. Click Restart now.
  6. Choose Troubleshoot.
  7. Go to Advanced options.
    Troubleshooting options
  8. Select Startup Settings.
    Advanced section
  9. Press Restart.
    Choose the Safe Mode
  10. Choose 5) Enable Safe Mode with Networking.

Step 2. End questionable processes

You can rely on Windows Task Manager that finds all the random processes in the background. When the intruder is triggering any processes, you can shut them down:

  1. Press Ctrl + Shift + Esc keys to open Windows Task Manager.
  2. Click on More details.
    More options of Task manager
  3. Scroll down to Background processes.
  4. Look for anything suspicious.
  5. Right-click and select Open file location.
    Task manager
  6. Go back to the Process tab, right-click and pick End Task.
  7. Delete the contents of the malicious folder.

Step 3. Check the program in Startup

  1. Press Ctrl + Shift + Esc on your keyboard again.
  2. Go to the Startup tab.
  3. Right-click on the suspicious app and pick Disable.
    Disable process

Step 4. Find and eliminate virus files

Data related to the infection can be hidden in various places. Follow the steps and you can find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup option
  2. Select the drive (C: is your main drive by default and is likely to be the one that has malicious files in) you want to clean.
  3. Scroll through the Files to delete and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Choose the disk clean up
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Eliminate Ryuk using System Restore

System Restore might help you disable the malicious ongoing activity. Follow these guidelines to achieve such goal:

  • Step 1: Restart your computer in Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Go to Start Shutdown Restart OK.
    2. As soon as your computer starts, start pressing F8 key repeatedly before the Windows logo shows up.
    3. Choose Command Prompt from the list Choose 'Safe Mode with Command Prompt' option

    Windows 10 / Windows 8
    1. Click on the Power button at the Windows login screen, and then press and hold Shift key on your keyboard. Then click Restart.
    2. Then select Troubleshoot Advanced options Startup Settings and click Restart.
    3. Once your computer starts, select Enable Safe Mode with Command Prompt from the list of options in Startup Settings. Choose 'Enable Safe Mode with Command Prompt' option
  • Step 2: Perform a system restore to recover files and settings
    1. When the Command Prompt window appears, type in cd restore and press Enter. Type 'cd restore' without quotes and hit 'Enter'
    2. Then type rstrui.exe and hit Enter.. Type 'rstrui.exe' without quotes and hit 'Enter'
    3. In a new window that shows up, click the Next button and choose a restore point that was created before the infiltration of Ryuk and then click on the Next button again. When 'System Restore' wizard comes up, click 'Next'. Choose a preferable restore point and click 'Next'
    4. To start system restore, click Yes. Hit 'Yes' and start system restore
    After restoring the computer system to an antecedent date, install and check your computer with FortectIntego to uncover any remains of Ryuk.

Bonus: Restore your files

Using the tutorial provided above you should be able to eliminate Ryuk from the infected device. novirus.uk team has also prepared an in-depth data recovery guide which you will also find above.

If you have spotted files which are locked by Ryuk ransomware, you should avoid contacting the criminals and paying the demanded price. Rather than that, look through our below-provided methods which can be helpful in data recovery techniques.

There are a couple of methods you can apply to recover data encrypted by Ryuk:

Data Recovery Pro might be a helpful tool for you:

If you want to unlock some of your lost or corrupted documents, give this method a try./GIS]


Try this method to recover some of your data.

  • Download Data Recovery Pro;
  • Install Data Recovery on your computer following the steps indicated in the software’s Setup;
  • Run the program to scan your device for the data encrypted by Ryuk ransomware;
  • Recover the data.

Shadow Explorer tool might help you with data recovery purposes:

Use this tool if the virus did not damage Shadow Copies of corrupted files.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Install Shadow Explorer on your computer following the instructions in the software’s Setup Wizard;
  • Run the program. Navigate to the menu on the top-left corner and select a disk containing your encrypted files. Look through the available folders;
  • When you find the folder you want to recover, right-click it and select “Export”. Also, choose where the recovered data will be stored.

There is no official Ryuk ransomware decryptor discovered yet.

It is strongly recommended to take precautions and secure your computer from malware attacks. To protect your PC from Ryuk and other dangerous viruses, you should install and keep a powerful malware removal tool, for instance, FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes.

How to prevent from getting ransomware

Prevent the government from spying on you

As there is a growing debate in government about collecting users' data and spying on citizens, you should take a closer look at this issue and find out what shady ways of gathering information can be used to collect information about you. You need to browse anonymously if you want to avoid any government-initiated spying and tracking of information. 

You can enjoy secure internet browsing and minimize the risk of intrusion into your system if you use Private Internet Access VPN program. This VPN application creates a virtual private network and provides access to the required data without any content restrictions.

Control government and other third party access to your data and ensure safe web browsing. Even if you do not engage in illegal activities and trust your ISP, we recommend being careful about your security. You should take extra precautions and start using a VPN program.

Reduce the threat of viruses by backing up your data

Due to their own careless behavior, computer users can suffer various losses caused by cyber infections. Viruses can affect the functionality of the software or directly corrupt data on your system by encrypting it. These problems can disrupt the system and cause you to lose personal data permanently. There is no such threat if you have the latest backups, as you can easily recover lost data and get back to work.

It is recommended to update the backups in parallel each time the system is modified. This way, you will be able to access the latest saved data after an unexpected virus attack or system failure. By having the latest copies of important documents and projects, you will avoid serious inconveniences. File backups are especially useful if malware attacks your system unexpectedly. We recommend using the Data Recovery Pro program to restore the system.

About the author
Jake Doevan
Jake Doevan - Do not waste your precious time dealing with computer virus infections alone

If you found this free tutorial helpful, please consider making a donation to support us. Even the smallest amount will be appreciated and will help to keep this service alive.

Contact Jake Doevan
About the company Esolutions

Uninstall guides in different languages