ryuk

General

Target

f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14
Size

116KB
Sample

220220-apgmxafgcr
MD5

9defe4fa3561d26e7d56ea9faab90602
SHA1

7ed8e87f01b5c4e4dd38e15d96d145e9fe95f91c
SHA256

f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14
SHA512

e6ff5c4db2d7d134bd51eabf9550f10aee1f578d44485cca03046ceb926fe348acba56df419f06b2cfeab4faacab097442e98cac985593f5ab865e7753ee9dda

Score

10^/10

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'Dmf2iVkD4d'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Targets

- Target
  
  f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14
- Size
  
  116KB
- MD5
  
  9defe4fa3561d26e7d56ea9faab90602
- SHA1
  
  7ed8e87f01b5c4e4dd38e15d96d145e9fe95f91c
- SHA256
  
  f33933b1f768b8c6fff96fdd46b66d758fb28fc469f8b31e4a3e10f95730fe14
- SHA512
  
  e6ff5c4db2d7d134bd51eabf9550f10aee1f578d44485cca03046ceb926fe348acba56df419f06b2cfeab4faacab097442e98cac985593f5ab865e7753ee9dda
Score

10^/10

ryuk discovery ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Modifies file permissions

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2