ryuk

General

Target

611756d16d2c0e32589b0baa71b86a74ad6b0ce31957b3cb2ca78fee61c34b85
Size

315KB
Sample

220220-hfd5esagbn
MD5

c1d23b26b074c453fc53c45c7674e32f
SHA1

c39f9181564f7d945d7d95cdebcc069db7fc9e74
SHA256

611756d16d2c0e32589b0baa71b86a74ad6b0ce31957b3cb2ca78fee61c34b85
SHA512

f72d1a8018ccc3953d5d5d36ca5dcf1f3bee4d2f33d79a68cca2b33c3e6f18018f8459046bba7998fd9b6c58c0a20ef1273b1824a0980df15b2c954ae0221121

Score

10^/10

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

[email protected]

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Targets

- Target
  
  611756d16d2c0e32589b0baa71b86a74ad6b0ce31957b3cb2ca78fee61c34b85
- Size
  
  315KB
- MD5
  
  c1d23b26b074c453fc53c45c7674e32f
- SHA1
  
  c39f9181564f7d945d7d95cdebcc069db7fc9e74
- SHA256
  
  611756d16d2c0e32589b0baa71b86a74ad6b0ce31957b3cb2ca78fee61c34b85
- SHA512
  
  f72d1a8018ccc3953d5d5d36ca5dcf1f3bee4d2f33d79a68cca2b33c3e6f18018f8459046bba7998fd9b6c58c0a20ef1273b1824a0980df15b2c954ae0221121
Score

10^/10

ryuk persistence ransomware vmprotect
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral1 behavioral2