Overview

overview

10

Static

static

Ryuk

windows7_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ignorant-bike.exe

  • Size

    170KB

  • Sample

    210422-scw7j3y2jj

  • MD5

    29340643ca2e6677c19e1d3bf351d654

  • SHA1

    1581fe76e3c96dc33182daafd09c8cf5c17004e0

  • SHA256

    113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec

  • SHA512

    cf505569f38f7c2d5200faba24bb0713eaba920ebf073d641eb07eda136563258e1ca2c95ff9ea03f3760c77cff9f543c7905a39e00cfe3c89ef79a5cb3305a0

Score
10/10
ryukpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 1KURvApbe1yC7qYxkkkvtdZ7hrNjdp18sQ Ryuk No system is safe
Wallets

1KURvApbe1yC7qYxkkkvtdZ7hrNjdp18sQ

Targets

    • Target

      ignorant-bike.exe

    • Size

      170KB

    • MD5

      29340643ca2e6677c19e1d3bf351d654

    • SHA1

      1581fe76e3c96dc33182daafd09c8cf5c17004e0

    • SHA256

      113af75f13547be184822f1268f984b79f35965a1b1f963d23b50a09741b0aec

    • SHA512

      cf505569f38f7c2d5200faba24bb0713eaba920ebf073d641eb07eda136563258e1ca2c95ff9ea03f3760c77cff9f543c7905a39e00cfe3c89ef79a5cb3305a0

    Score
    10/10
    ryukpersistenceransomwarespywarestealer

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks