General

  • Target

    17ad1d64baf39c16612ac1c056fc9c23b73d180451bcd8c170fce0861129afaa

  • Size

    170KB

  • Sample

    220220-lv538sccdp

  • MD5

    83ca718ae747c80564e1a888051301a5

  • SHA1

    487f7828ea059d5730aafbfa54b8f86b2e6f321c

  • SHA256

    17ad1d64baf39c16612ac1c056fc9c23b73d180451bcd8c170fce0861129afaa

  • SHA512

    ad3b69ff2407cba0ae28d5537f98a0fdd2143705f0ab8fd9b9be342721dfb846252653cc0dd56038b6a32bc2979c43dd83ad87644e616c61bfed3b58c3f24a1f

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe
Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Targets

    • Target

      17ad1d64baf39c16612ac1c056fc9c23b73d180451bcd8c170fce0861129afaa

    • Size

      170KB

    • MD5

      83ca718ae747c80564e1a888051301a5

    • SHA1

      487f7828ea059d5730aafbfa54b8f86b2e6f321c

    • SHA256

      17ad1d64baf39c16612ac1c056fc9c23b73d180451bcd8c170fce0861129afaa

    • SHA512

      ad3b69ff2407cba0ae28d5537f98a0fdd2143705f0ab8fd9b9be342721dfb846252653cc0dd56038b6a32bc2979c43dd83ad87644e616c61bfed3b58c3f24a1f

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks