ryuk

General

Target

0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f
Size

203KB
Sample

220219-j8nd8sagfq
MD5

ea9759d8023c9f6f269fbd0875561783
SHA1

1c4c718294647cb7df8dae914100394f2668715a
SHA256

0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f
SHA512

2be12260b22224132c27f60c8943303c89210d58b22acc5efce03fb379d912254493df9eee97a7d1777faf7bf5702537331373711690d9621e642cf698140e81

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Targets

- Target
  
  0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f
- Size
  
  203KB
- MD5
  
  ea9759d8023c9f6f269fbd0875561783
- SHA1
  
  1c4c718294647cb7df8dae914100394f2668715a
- SHA256
  
  0cb5ed3a60aee458e7a5630efb81c85af025938f0469e62772675a2aafc1c27f
- SHA512
  
  2be12260b22224132c27f60c8943303c89210d58b22acc5efce03fb379d912254493df9eee97a7d1777faf7bf5702537331373711690d9621e642cf698140e81
Score

10^/10

ryuk ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Suspicious use of NtCreateProcessExOtherParentProcess

Checks computer location settings

Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2