Share this article
Bitcoin Ransomware That Infiltrated 100 US Enterprises Spreads to China
Bounties demanded by the Ryuk hackers reach upwards of $5 million to be paid in bitcoin, according to the FBI.
By Daniel Kuhn
Updated Sep 13, 2021, 11:12 a.m. Published Jul 18, 2019, 6:00 p.m.
A ransomware virus that has successfully infiltrated more than 100 government and private enterprises in the U.S. and internationally has been detected in China, according to a recent Tencent Security report.
Dubbed Ryuk, the pernicious code targets “logistics companies, technology companies and small municipalities” with high data value, demanding bounties upward of $5 million paid in bitcoin, according to the Federal Bureau of Investigation (FBI).
STORY CONTINUES BELOW
Don't miss another story.Subscribe to the Crypto Daybook Americas Newsletter today. See all newsletters
In January, Ryuk was thought to be behind a hack of Tribune Publishing, affecting all of the media conglomerate’s outlets. In June, officials in Lake City, Florida paid out a $460,000 ransom after the city’s computer systems went dark. This was two weeks after Riviera Beach, Florida’s $600,000 hijacking.
Ryuk is thought to be a modified version of the Hermes virus, which debuted in August 2018. It spreads through the usual botnet and spam methods, and infiltrates through undefended IP ports.
Once installed, the malicious malware deletes all files related to the intrusion, and kills antivirus processes, thereby obscuring the infection vector. In one case, however, FBI agents found evidence Ryuk entered through a Remote Desktop Protocols brute force attack.
The agency wrote in a Flash:
“After the attacker has gained access to the victim network, additional network exploitation tools may be downloaded… once executed, Ryuk establishes persistence in the registry, injects into running processes, looks for network connected file systems, and begins encrypting files.”
The virus also drops a “RyukReadMe” file that opens the blackmail letter on the victim’s internet browser. The html webpage lists only the two hacker’s email addresses in the upper left hand corner, the name of the virus in the center of the page, and the cryptic phrase “balance of shadow universe” in the bottom right corner.
The FBI has been tracking the virus since 2018 and have noticed a number of modifications. It's reported the Chinese variant simultaneously runs a 32-bit and 64-bit blackmail module, which may enable further evolution of the bug.
It is has not been disclosed how many Chinese enterprises have been infected as of press time, or the total amount the hackers have ransomed.
Tencent did not return a request for comment regarding this article.
Hacker image via Shutterstock
More For You
What to know:
- As of October 2025, GoPlus has generated $4.7M in total revenue across its product lines. The GoPlus App is the primary revenue driver, contributing $2.5M (approx. 53%), followed by the SafeToken Protocol at $1.7M.
- GoPlus Intelligence's Token Security API averaged 717 million monthly calls year-to-date in 2025 , with a peak of nearly 1 billion calls in February 2025. Total blockchain-level requests, including transaction simulations, averaged an additional 350 million per month.
- Since its January 2025 launch , the $GPS token has registered over $5B in total spot volume and $10B in derivatives volume in 2025. Monthly spot volume peaked in March 2025 at over $1.1B , while derivatives volume peaked the same month at over $4B.
More For You
Crypto Markets Today: Traders Seek Catalysts After Bitcoin’s Post-Fed Pullback
The crypto market slipped to the lower end of its range after the Federal Reserve’s 25bps rate cut failed to spark fresh momentum.
What to know:
- BTC is trading near $90,350 after defending the $88,200 support zone, but momentum remains capped below the key $94,500 resistance level.
- Implied volatility fell to its lowest since November, ETH/BTC IV spreads widened, and risk reversals stayed negative across tenors while open interest declined—most sharply in ADA.
- Low-liquidity conditions dragged tokens like ETHFI, FET, ADA and PUMP down more than 8%, while privacy-focused XMR stood out with gains as the broader altcoin season index slumped to 19/100.
Top Stories
