General

  • Target

    1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample

  • Size

    159KB

  • Sample

    210726-2rns9ysqae

  • MD5

    cb0c1248d3899358a375888bb4e8f3fe

  • SHA1

    b72e75e9e901a44b655a5cf89cf0eadcaff46037

  • SHA256

    1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56

  • SHA512

    298668596ab422c93ebedf41bc5751941c2646df5bfaf7f374beb207bf38fa6d223186984d71ef25b2c21e068870c9c5cf11626b99350f8799fb0ebaca4a4cee

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at StevKramer@protonmail.com or StevKramer@tutanota.com BTC wallet: 1CN2iQbBikFK9jM34Nb3WLx5DCenQLnbXp Ryuk
Emails

StevKramer@protonmail.com

StevKramer@tutanota.com

Wallets

1CN2iQbBikFK9jM34Nb3WLx5DCenQLnbXp

Targets

    • Target

      1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample

    • Size

      159KB

    • MD5

      cb0c1248d3899358a375888bb4e8f3fe

    • SHA1

      b72e75e9e901a44b655a5cf89cf0eadcaff46037

    • SHA256

      1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56

    • SHA512

      298668596ab422c93ebedf41bc5751941c2646df5bfaf7f374beb207bf38fa6d223186984d71ef25b2c21e068870c9c5cf11626b99350f8799fb0ebaca4a4cee

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

File Deletion

2
T1107

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Impact

Inhibit System Recovery

2
T1490

Tasks