ryuk

General

Target

307a8158e698680c7186e3c1481b29186d8b265bb83662397a54f235b0c9a3d1
Size

144KB
Sample

210710-g2v7q9tc6e
MD5

b1ad9afd96168db991f79eb546d6b79a
SHA1

9fbfbe72774b9cc3d174daa7b8be76bf8cb57ecf
SHA256

307a8158e698680c7186e3c1481b29186d8b265bb83662397a54f235b0c9a3d1
SHA512

677f25200f29b010895a335ac2171fdea359e9d59d4f91fa2d8c46b89c9933582f3e46ecf0026e4fb247d5acb430d74fec54368f7e27e74ff201385b77e65d13

Score

10^/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'g2JGFG1ll'; $torlink = 'http://nqm76vazre4sqqrbhtxdaei5iud5u7qrmis4bavj3kw5vzormeqqvfid.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://nqm76vazre4sqqrbhtxdaei5iud5u7qrmis4bavj3kw5vzormeqqvfid.onion

Targets

- Target
  
  307a8158e698680c7186e3c1481b29186d8b265bb83662397a54f235b0c9a3d1
- Size
  
  144KB
- MD5
  
  b1ad9afd96168db991f79eb546d6b79a
- SHA1
  
  9fbfbe72774b9cc3d174daa7b8be76bf8cb57ecf
- SHA256
  
  307a8158e698680c7186e3c1481b29186d8b265bb83662397a54f235b0c9a3d1
- SHA512
  
  677f25200f29b010895a335ac2171fdea359e9d59d4f91fa2d8c46b89c9933582f3e46ecf0026e4fb247d5acb430d74fec54368f7e27e74ff201385b77e65d13
Score

10^/10

ryuk discovery ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2