ryuk

General

Target

c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d
Size

123KB
Sample

220220-cy7a2afgf6
MD5

d1f9c714cf20a56b8d9098576b414a54
SHA1

0fa4bfde84904faa39e495719ee2b8082726cd69
SHA256

c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d
SHA512

8aac5846d4ee49e550064c2c10bd0ec3ee0606cef67654b88635c5bf51da97aa59a7ad29b48b0bbe4b1f3e429691e175824e117d957183fabcb0f6c1a00737e0

Score

10^/10

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'v2h23wYU3a'; $torlink = 'http://uxehdntwmf6g6fz6237ml4ka6ht4o2yx2dvmvnj36a6wisyxhrapnfqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://uxehdntwmf6g6fz6237ml4ka6ht4o2yx2dvmvnj36a6wisyxhrapnfqd.onion

Targets

- Target
  
  c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d
- Size
  
  123KB
- MD5
  
  d1f9c714cf20a56b8d9098576b414a54
- SHA1
  
  0fa4bfde84904faa39e495719ee2b8082726cd69
- SHA256
  
  c0784c03bfbe0ea483b6ae318d51de57ae1019cec8b6a12cbd58f66d59fd545d
- SHA512
  
  8aac5846d4ee49e550064c2c10bd0ec3ee0606cef67654b88635c5bf51da97aa59a7ad29b48b0bbe4b1f3e429691e175824e117d957183fabcb0f6c1a00737e0
Score

10^/10

ryuk discovery ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Modifies file permissions

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2