ryuk

General

Target

6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623
Size

121KB
Sample

220220-gzthsahec2
MD5

b003a727c9c2e8bec5c17f849c816726
SHA1

23aabb8ab9aa4dfaa55afd29fd09487254b49dff
SHA256

6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623
SHA512

21b79ec4c8a1453bfb5c3fbea7d50b6c69be80dfe0413603ad7643c988821d9ecdd19c49608178958e78d41386e841104fcd58cb32e7ca9ffd203a51a2adc271

Score

10^/10

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'dc75X5tp'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Targets

- Target
  
  6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623
- Size
  
  121KB
- MD5
  
  b003a727c9c2e8bec5c17f849c816726
- SHA1
  
  23aabb8ab9aa4dfaa55afd29fd09487254b49dff
- SHA256
  
  6a9de64813c2e3ad3940f2b5018245bed83bb0e24a6e47c8b0a4114be7aef623
- SHA512
  
  21b79ec4c8a1453bfb5c3fbea7d50b6c69be80dfe0413603ad7643c988821d9ecdd19c49608178958e78d41386e841104fcd58cb32e7ca9ffd203a51a2adc271
Score

10^/10

ryuk discovery ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Modifies file permissions

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2