General

  • Target

    8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe

  • Size

    885KB

  • Sample

    221110-g3yxnsfde9

  • MD5

    a57e1e6fe1c98d2e75799a46e9eb5797

  • SHA1

    7878e7042c355546c118a38b90d8f7221f74d8a4

  • SHA256

    8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe

  • SHA512

    5764f3b1971f64c9d55f387524d92038350dbdf9a7195dc7e3f7b83760d93f45e73dd4c4af6cc597add838acd2d4a4e5b7a96a3444e3c8b0369b1d487621909d

  • SSDEEP

    12288:zD7Z7cwy8U9JlpYqWYgeWYg955/155/0QebUlAAsDsKKAosRn6X:z57ctflKgQKUKRDsKKAjN6

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at Cara@onionmail.org or Cara@cyberfear.com You will receive btc address for payment in the reply letter Ryuk No system is safe
Emails

Cara@onionmail.org

Cara@cyberfear.com

Targets

    • Target

      8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe

    • Size

      885KB

    • MD5

      a57e1e6fe1c98d2e75799a46e9eb5797

    • SHA1

      7878e7042c355546c118a38b90d8f7221f74d8a4

    • SHA256

      8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe

    • SHA512

      5764f3b1971f64c9d55f387524d92038350dbdf9a7195dc7e3f7b83760d93f45e73dd4c4af6cc597add838acd2d4a4e5b7a96a3444e3c8b0369b1d487621909d

    • SSDEEP

      12288:zD7Z7cwy8U9JlpYqWYgeWYg955/155/0QebUlAAsDsKKAosRn6X:z57ctflKgQKUKRDsKKAjN6

    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

    • Clears Windows event logs

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Disables taskbar notifications via registry modification

    • Disables use of System Restore points

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Modifies file permissions

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Matrix

Tasks