ryuk

General

Target

683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb
Size

190KB
Sample

220306-d9h81shhf6
MD5

65865d94596a90b7e6204deb1de53c3d
SHA1

282e3776f86d3b0b2916ed6047ad272fe2f0cf6e
SHA256

683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb
SHA512

3c148f68856bf284f1775eb67a47ba880d4f69f8d6180a436a860484935c05d95ba5a3ff13e9c4280bb553f49e4f818ffce6e0a6016323d836cabe69bf8be7f5

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> unumschooler1972@protonmail.com <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

unumschooler1972@protonmail.com

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

unumschooler1972@protonmail.com balance of shadow universe Ryuk

Emails

unumschooler1972@protonmail.com

Targets

- Target
  
  683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb
- Size
  
  190KB
- MD5
  
  65865d94596a90b7e6204deb1de53c3d
- SHA1
  
  282e3776f86d3b0b2916ed6047ad272fe2f0cf6e
- SHA256
  
  683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb
- SHA512
  
  3c148f68856bf284f1775eb67a47ba880d4f69f8d6180a436a860484935c05d95ba5a3ff13e9c4280bb553f49e4f818ffce6e0a6016323d836cabe69bf8be7f5
Score

10^/10

ryuk ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Drops file in Drivers directory

Executes dropped EXE

Modifies extensions of user files

Checks computer location settings

Drops startup file

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2