ryuk

General

Target

4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a
Size

190KB
Sample

220220-jjg6xsbcam
MD5

727cf4d00df34f36c4767f1ab185244a
SHA1

983331a93a5c91cb3ffee97495eef475d43f3f52
SHA256

4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a
SHA512

ff3e67d7b2d6196ab574d1f1157a4c3190e91f539d363c547b1a2cfe6e0dcf86d59a267dc226d0dfc5766ed82d01a9e782bc5ecfaed7eda433c2ede6199cd0e0

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Targets

- Target
  
  4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a
- Size
  
  190KB
- MD5
  
  727cf4d00df34f36c4767f1ab185244a
- SHA1
  
  983331a93a5c91cb3ffee97495eef475d43f3f52
- SHA256
  
  4a602ad6542e5bbf428f15cd236bad78265bc18f0275340d0ececd5f2d81db9a
- SHA512
  
  ff3e67d7b2d6196ab574d1f1157a4c3190e91f539d363c547b1a2cfe6e0dcf86d59a267dc226d0dfc5766ed82d01a9e782bc5ecfaed7eda433c2ede6199cd0e0
Score

10^/10

ryuk discovery ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
behavioral1 behavioral2