Overview

overview

10

Static

static

Ryuk

windows7_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rustic-exit

  • Size

    170KB

  • Sample

    210427-dd98lmh7kj

  • MD5

    ddc6244c5569e9a1eadcf9b2ae67fb33

  • SHA1

    1f866ee8de998d271c67b5261513d2385ba2acfb

  • SHA256

    8051d4bd377a47df8d88b7a38ed6a6fdba0d0f65bad9b87582d7ad6eabc0dab9

  • SHA512

    0ef52aa99ff9a5fc07aff11a289966b958a5154cc2803459788d47b14884405ca0e1ef6f4732b1d8f14d73ddc6d20d314623f02fe24c4f42b5226f788c561ae6

Score
10/10
ryukpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe
Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Targets

    • Target

      rustic-exit

    • Size

      170KB

    • MD5

      ddc6244c5569e9a1eadcf9b2ae67fb33

    • SHA1

      1f866ee8de998d271c67b5261513d2385ba2acfb

    • SHA256

      8051d4bd377a47df8d88b7a38ed6a6fdba0d0f65bad9b87582d7ad6eabc0dab9

    • SHA512

      0ef52aa99ff9a5fc07aff11a289966b958a5154cc2803459788d47b14884405ca0e1ef6f4732b1d8f14d73ddc6d20d314623f02fe24c4f42b5226f788c561ae6

    Score
    10/10
    ryukpersistenceransomwarespywarestealer

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

      ransomwareryuk

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks