General

  • Target

    1659503da5d0318c6025ea87b125b4917d53f4f666461b42d7cc2552ac2b3992

  • Size

    155KB

  • Sample

    220220-lxrcvsccfl

  • MD5

    c5609ab395ee733f889c28d9f93f2af3

  • SHA1

    ee4099fc9381c45aaa32505521a8dbc1daf3ff78

  • SHA256

    1659503da5d0318c6025ea87b125b4917d53f4f666461b42d7cc2552ac2b3992

  • SHA512

    39fa80bc077b24b1f8814b19722613b472343dded1fd14b1231e11a6b03c2ae477db2f787a4f2d72b39b611c2070ad833068e2e01fd18e9cab257414e2ce1caf

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at FreedSmitt@protonmail.com or FreedSmitt@tutanota.com BTC wallet: 1CN2iQbBikFK9jM34Nb3WLx5DCenQLnbXp Ryuk
Emails

FreedSmitt@protonmail.com

FreedSmitt@tutanota.com

Wallets

1CN2iQbBikFK9jM34Nb3WLx5DCenQLnbXp

Targets

    • Target

      1659503da5d0318c6025ea87b125b4917d53f4f666461b42d7cc2552ac2b3992

    • Size

      155KB

    • MD5

      c5609ab395ee733f889c28d9f93f2af3

    • SHA1

      ee4099fc9381c45aaa32505521a8dbc1daf3ff78

    • SHA256

      1659503da5d0318c6025ea87b125b4917d53f4f666461b42d7cc2552ac2b3992

    • SHA512

      39fa80bc077b24b1f8814b19722613b472343dded1fd14b1231e11a6b03c2ae477db2f787a4f2d72b39b611c2070ad833068e2e01fd18e9cab257414e2ce1caf

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks