ryuk

General

Target

35ff457Rk.bin.exe.bin
Size

304KB
Sample

210704-cwlk5vja72
MD5

5ecae137bf33ecbb981f3b637b06efc5
SHA1

371e01949b1c7316164021e38d624ffbcba3090a
SHA256

4f6db0454c9afe37d358d1399fe8932bec799eb257df11eccc6ab87358c4efb3
SHA512

753a63b1407b21cec5e50bd5ad7158917926c6502ac43ffb61e99a911371798bb05be2845598640ac018dd7d57ccddf3c1f7736d22d0b2c2edde2eb7188d0331

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'yxFS7vMc'; $torlink = 'http://vqurn5zgys2zd5z5r5fxnfskpzr74i63ehk7ucmrlbvsuszapwoo62qd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://vqurn5zgys2zd5z5r5fxnfskpzr74i63ehk7ucmrlbvsuszapwoo62qd.onion

Targets

- Target
  
  35ff457Rk.bin.exe.bin
- Size
  
  304KB
- MD5
  
  5ecae137bf33ecbb981f3b637b06efc5
- SHA1
  
  371e01949b1c7316164021e38d624ffbcba3090a
- SHA256
  
  4f6db0454c9afe37d358d1399fe8932bec799eb257df11eccc6ab87358c4efb3
- SHA512
  
  753a63b1407b21cec5e50bd5ad7158917926c6502ac43ffb61e99a911371798bb05be2845598640ac018dd7d57ccddf3c1f7736d22d0b2c2edde2eb7188d0331
Score

10^/10

ryuk ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Modifies extensions of user files

Drops startup file

Loads dropped DLL

Drops desktop.ini file(s)

Enumerates connected drives

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2