ryuk

General

Target

413bd0bab52129e4bafc343c40b16f47771eb154ebb13d415211ac5067cef4b7
Size

351KB
Sample

220220-jympysbdej
MD5

efd0d3409e5e7ffe94f931ff6f09035e
SHA1

c7830b5cadb9320bc8b9876d84acb4e13f90434a
SHA256

413bd0bab52129e4bafc343c40b16f47771eb154ebb13d415211ac5067cef4b7
SHA512

a60fa47ed884327adf98c3ed3e67cf0149678f6c2cf74c3c6c627e579067ad4636afe122fd246fbf0613889af46a096d3656932a4bcad52a12803ff0950b9386

Score

10^/10

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 1CN2iQbBikFK9jM34Nb3WLx5DCenQLnbXp Ryuk

Emails

[email protected]

Wallets

1CN2iQbBikFK9jM34Nb3WLx5DCenQLnbXp

Targets

- Target
  
  413bd0bab52129e4bafc343c40b16f47771eb154ebb13d415211ac5067cef4b7
- Size
  
  351KB
- MD5
  
  efd0d3409e5e7ffe94f931ff6f09035e
- SHA1
  
  c7830b5cadb9320bc8b9876d84acb4e13f90434a
- SHA256
  
  413bd0bab52129e4bafc343c40b16f47771eb154ebb13d415211ac5067cef4b7
- SHA512
  
  a60fa47ed884327adf98c3ed3e67cf0149678f6c2cf74c3c6c627e579067ad4636afe122fd246fbf0613889af46a096d3656932a4bcad52a12803ff0950b9386
Score

10^/10

ryuk persistence ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2