ryuk

General

Target

7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030
Size

189KB
Sample

220220-gevkcaacfj
MD5

090826c3c34fb53a639f1d2919e1b44c
SHA1

ab355fed7323cb1dfaf1e32833acd77ffa23c287
SHA256

7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030
SHA512

d0ac51019f6d2652ae285b99fb68cbe5e3f2acf9cfa30b9d26d95e9692a5562fb8e5f5656afb55c71d191617be4336dd9b4dd7dad8b5f9107f7c9fd4789a7720

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Targets

- Target
  
  7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030
- Size
  
  189KB
- MD5
  
  090826c3c34fb53a639f1d2919e1b44c
- SHA1
  
  ab355fed7323cb1dfaf1e32833acd77ffa23c287
- SHA256
  
  7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030
- SHA512
  
  d0ac51019f6d2652ae285b99fb68cbe5e3f2acf9cfa30b9d26d95e9692a5562fb8e5f5656afb55c71d191617be4336dd9b4dd7dad8b5f9107f7c9fd4789a7720
Score

10^/10

ryuk discovery persistence ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
behavioral1 behavioral2