ryuk

General

Target

f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
Size

885KB
Sample

221219-1zdxwagc22
MD5

154b73d0a7aa19df12364a78b235f29f
SHA1

5e39ad8cd8f05d29b7587a876c318be5c0511dcc
SHA256

f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea
SHA512

bf32fb8e846170bb5f2c9505e5577e5d3b31f3f9a43030b5f3268d66f3d11f3c983b231742f0d51488c4a288639c0d9e91a911fec0b016d54047e582695a98e0
SSDEEP

12288:D/2O9w8wycU2JlJYqWYgeWYg955/155/0QebUlAAsjsKqgo7Rn6X:DbC8tUlqgQKUKRjsKqgQN6

Score

10^/10

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Targets

- Target
  
  f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
- Size
  
  885KB
- MD5
  
  154b73d0a7aa19df12364a78b235f29f
- SHA1
  
  5e39ad8cd8f05d29b7587a876c318be5c0511dcc
- SHA256
  
  f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea
- SHA512
  
  bf32fb8e846170bb5f2c9505e5577e5d3b31f3f9a43030b5f3268d66f3d11f3c983b231742f0d51488c4a288639c0d9e91a911fec0b016d54047e582695a98e0
- SSDEEP
  
  12288:D/2O9w8wycU2JlJYqWYgeWYg955/155/0QebUlAAsjsKqgo7Rn6X:DbC8tUlqgQKUKRjsKqgQN6
Score

10^/10

ryuk discovery evasion ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Clears Windows event logs
  evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Disables taskbar notifications via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Modifies file permissions
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2