ryuk

General

Target

30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122
Size

208KB
Sample

220220-knvhgsbgbr
MD5

c596f71c6048997c88e80b57f045b891
SHA1

ed2b5d11f20648a49a11be1795be5632c412879d
SHA256

30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122
SHA512

e18effe825ca1355bafcaf1da41bdf0485bab3af2898d963c059b922f03c2128756da679667b6480234bb3daed4b2e2a366241782f9f4b404ca7897683cc11eb

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Special warning for system administrators, network administrators and third parties: Do not try to solve this problem by yourselves! Don't change file extensions! It can be dangerous for the encrypted information! Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files.Your system administrators are trying to solve problem by simple file extension changing. This actions seriously increase the time needed to recover your company's PCs and network servers! To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Targets

- Target
  
  30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122
- Size
  
  208KB
- MD5
  
  c596f71c6048997c88e80b57f045b891
- SHA1
  
  ed2b5d11f20648a49a11be1795be5632c412879d
- SHA256
  
  30d986f622f5f1f7dbab689ab17293ede8e37edbb1a8709658b2a4320683c122
- SHA512
  
  e18effe825ca1355bafcaf1da41bdf0485bab3af2898d963c059b922f03c2128756da679667b6480234bb3daed4b2e2a366241782f9f4b404ca7897683cc11eb
Score

10^/10

ryuk ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Suspicious use of NtCreateProcessExOtherParentProcess

Checks computer location settings

Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2