ryuk

General

Target

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
Size

144KB
Sample

211020-pzw8nshhhq
MD5

89895cf4c88f13e5797aab63dddf1078
SHA1

1efc175983a17bd6c562fe7b054045d6dcb341e5
SHA256

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
SHA512

d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Score

10^/10

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'UWUEbcQLr'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Targets

- Target
  
  8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
- Size
  
  144KB
- MD5
  
  89895cf4c88f13e5797aab63dddf1078
- SHA1
  
  1efc175983a17bd6c562fe7b054045d6dcb341e5
- SHA256
  
  8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
- SHA512
  
  d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2
Score

10^/10

ryuk discovery ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Modifies file permissions
  discovery
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1