ryuk

General

Target

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689
Size

190KB
Sample

220506-scpf4acgak
MD5

ffef678beca8ee60200bc88809d89630
SHA1

b31070af1ac3e088dfc6f1599f8d12edb1b16783
SHA256

320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689
SHA512

54298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> monsbumide1974@protonmail.com <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

monsbumide1974@protonmail.com

Extracted

Path

C:\Users\Admin\AppData\Local\Publishers\RyukReadMe.html

Family

ryuk

Ransom Note

monsbumide1974@protonmail.com balance of shadow universe Ryuk

Emails

monsbumide1974@protonmail.com

Targets

- Target
  
  320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689
- Size
  
  190KB
- MD5
  
  ffef678beca8ee60200bc88809d89630
- SHA1
  
  b31070af1ac3e088dfc6f1599f8d12edb1b16783
- SHA256
  
  320c98a9fd479c43fde9d3773a9eccd58e6cc63d1ba93343222c0b565460d689
- SHA512
  
  54298098a866e24d99e3764154ae3ca4481e9163fd6e9e0d2c27d7978065a38da38accd58268c985b4ed0cfd4c11a27f4fa51e815c2d7a15e3ec18c453df89c3
Score

10^/10

ryuk discovery persistence ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral1 behavioral2