ryuk

General

Target

a5a8bc4eee3bcd751698c57e27dc8688e68127322044ff3c8f7bc01fa093d458
Size

443KB
Sample

210515-1fg3q7xf1j
MD5

132b243229390d9edfa25566894c5010
SHA1

a040ad72525fea4e93920889dd90395bbe29d5dd
SHA256

a5a8bc4eee3bcd751698c57e27dc8688e68127322044ff3c8f7bc01fa093d458
SHA512

fb9876deb950d1e06ace48c024e6cd9aa1722002db606cdbc5e629309dcf4870a836c963d030273a8ffaa29bc8db33c512255e51c92d72f9d9b5420122db2aa2

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Special warning for system administrators, network administrators and third parties: Do not try to solve this problem by yourselves! Don't change file extensions! It can be dangerous for the encrypted information! Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files.Your system administrators are trying to solve problem by simple file extension changing. This actions seriously increase the time needed to recover your company's PCs and network servers! To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Targets

- Target
  
  a5a8bc4eee3bcd751698c57e27dc8688e68127322044ff3c8f7bc01fa093d458
- Size
  
  443KB
- MD5
  
  132b243229390d9edfa25566894c5010
- SHA1
  
  a040ad72525fea4e93920889dd90395bbe29d5dd
- SHA256
  
  a5a8bc4eee3bcd751698c57e27dc8688e68127322044ff3c8f7bc01fa093d458
- SHA512
  
  fb9876deb950d1e06ace48c024e6cd9aa1722002db606cdbc5e629309dcf4870a836c963d030273a8ffaa29bc8db33c512255e51c92d72f9d9b5420122db2aa2
Score

10^/10

ryuk ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Drops file in Drivers directory

Executes dropped EXE

Modifies extensions of user files

Drops startup file

Loads dropped DLL

Drops desktop.ini file(s)

Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2