ryuk

General

Target

2024-02-17_fba034cb2ee768fb4ff42cb71464980b_ryuk
Size

170KB
Sample

240217-ry3eeagd57
MD5

fba034cb2ee768fb4ff42cb71464980b
SHA1

7d7746b8c124621994c4d1a448234c005fa860df
SHA256

a032bc2be51f6a445d671a04d5fd081efb4514105f97545b3222d39666aa787e
SHA512

d6b8556191e009e1d279e11a90296eafee0609238867b7a2ffdb180a448e0d81e447c0c03498f35a067da03a97a5c07337e1c333a57e116f64b4b1d8d1e1c694
SSDEEP

3072:2HeriftL/WSo1vDb53j/8WGUzaqVh4LI8zQpnA:2+rA/WSo1rl3ALrlHQpnA

Score

10^/10

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

[email protected]

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Targets

- Target
  
  2024-02-17_fba034cb2ee768fb4ff42cb71464980b_ryuk
- Size
  
  170KB
- MD5
  
  fba034cb2ee768fb4ff42cb71464980b
- SHA1
  
  7d7746b8c124621994c4d1a448234c005fa860df
- SHA256
  
  a032bc2be51f6a445d671a04d5fd081efb4514105f97545b3222d39666aa787e
- SHA512
  
  d6b8556191e009e1d279e11a90296eafee0609238867b7a2ffdb180a448e0d81e447c0c03498f35a067da03a97a5c07337e1c333a57e116f64b4b1d8d1e1c694
- SSDEEP
  
  3072:2HeriftL/WSo1vDb53j/8WGUzaqVh4LI8zQpnA:2+rA/WSo1rl3ALrlHQpnA
Score

10^/10

ryuk persistence ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Detects command variations typically used by ransomware
- Detects executables containing many references to VEEAM. Observed in ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
behavioral1 behavioral2