ryuk

General

Target

7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9
Size

203KB
Sample

220220-f6esjaabfn
MD5

071ccc24faaf0a8577075b7466293e8c
SHA1

8beed359f92bfc5e14384783526f77049eb2cb9a
SHA256

7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9
SHA512

454f5db75da3285cc28795078b598b8995d6a3fd586084b68c583029455a437905b5e58451992b3277ff61a1cd3b09a6107d4b94810128a738496137c4a62f90

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Targets

- Target
  
  7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9
- Size
  
  203KB
- MD5
  
  071ccc24faaf0a8577075b7466293e8c
- SHA1
  
  8beed359f92bfc5e14384783526f77049eb2cb9a
- SHA256
  
  7ac8689ab907526b77e6294a8e91280b562046dc674a1a21e7f8e953821bccd9
- SHA512
  
  454f5db75da3285cc28795078b598b8995d6a3fd586084b68c583029455a437905b5e58451992b3277ff61a1cd3b09a6107d4b94810128a738496137c4a62f90
Score

10^/10

ryuk ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Suspicious use of NtCreateProcessExOtherParentProcess

Checks computer location settings

Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2