ryuk

General

Target

0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8
Size

212KB
Sample

240304-vnxmysgg24
MD5

9951b7f5344d5d0e6728f90c1ffd0a3f
SHA1

5252a37cc0c4171f6261fbcc418d4fca83f0a543
SHA256

0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8
SHA512

2ce934dbeb9888e8125856d0158f23a6c5d007a55f9d71287e308bcf312674642496a1f2aadfe276361b5c4945e37a5c3edde3be83dbdb8d531123fb2335f50f
SSDEEP

3072:skoemwJEECCvcVbQQFrUoR19V6To0Hqs3WvQ:ZEECCElQk3wqFQ

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Targets

- Target
  
  0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8
- Size
  
  212KB
- MD5
  
  9951b7f5344d5d0e6728f90c1ffd0a3f
- SHA1
  
  5252a37cc0c4171f6261fbcc418d4fca83f0a543
- SHA256
  
  0195976bef64857fc4c658d47e08463c1c733a879b793642813df10904c3a8c8
- SHA512
  
  2ce934dbeb9888e8125856d0158f23a6c5d007a55f9d71287e308bcf312674642496a1f2aadfe276361b5c4945e37a5c3edde3be83dbdb8d531123fb2335f50f
- SSDEEP
  
  3072:skoemwJEECCvcVbQQFrUoR19V6To0Hqs3WvQ:ZEECCElQk3wqFQ
Score

10^/10

ryuk ransomware
- Ryuk
  Ransomware distributed via existing botnets, often Trickbot or Emotet.
  ransomware ryuk
- Detects command variations typically used by ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops desktop.ini file(s)
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detects command variations typically used by ransomware

Checks computer location settings

Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2