General

  • Target

    2024-05-26_9694a757610e36c089f6a67bfdb9b7bc_ryuk

  • Size

    202KB

  • Sample

    240526-b3hmssac4v

  • MD5

    9694a757610e36c089f6a67bfdb9b7bc

  • SHA1

    207d8312e9bcfffb4b8b3e616b23b9996d1ebb00

  • SHA256

    56831ca7d36b4c44b0730bc0fde49fd3fa4a626c04e90334022312f75fcebd95

  • SHA512

    49257d7ee75e423f0121a72fde0f7c3b8157985e841cb066b412d78cd107c6f7db6f745889523bc123958682a7e66518eaba7b7a6f11cfc0b521ac0478a5f728

  • SSDEEP

    1536:mGpouhuhkoWnR16e25SEhTMSj/kwgDmVKfY3wKEp8EgIbsW9d7B9dleMPQUlRH6:khkoa6ebEhoSNzVK0wKEpf19VMMoe6

Score
10/10

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note
Your network has been penetrated. All files on each network host have been encrypted with a strong algorithm. Backups were encrypted too. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. Only we have exclusive decryption software, suitable for your situation. More than a year ago, world experts recognized the impossibility of such encryption deciphering by any means except the original decoder. No decryption software is available in the public. Antivirus companies, researchers, IT specialists, and any other persons cannot help you to decipher the data. Decryption takes from ten minutes up to several hours. It is performed automatically and doesn't require from you any actions except decoder launching. DO NOT RESET OR SHUTDOWN SYSTEM � files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions. Send 2 different random files and you will get them back decrypted. It can be from different computers on your network to be sure that one key decrypts everything. We will unlock 2 files for free. To get info (decrypt your files) contact us a SirkingDestro90@protonmail.com or RyeleeKuramoto90@protonmail.com You will receive btc address for payment in the reply letter Ryuk No system is safe
Emails

SirkingDestro90@protonmail.com

RyeleeKuramoto90@protonmail.com

Targets

    • Target

      2024-05-26_9694a757610e36c089f6a67bfdb9b7bc_ryuk

    • Size

      202KB

    • MD5

      9694a757610e36c089f6a67bfdb9b7bc

    • SHA1

      207d8312e9bcfffb4b8b3e616b23b9996d1ebb00

    • SHA256

      56831ca7d36b4c44b0730bc0fde49fd3fa4a626c04e90334022312f75fcebd95

    • SHA512

      49257d7ee75e423f0121a72fde0f7c3b8157985e841cb066b412d78cd107c6f7db6f745889523bc123958682a7e66518eaba7b7a6f11cfc0b521ac0478a5f728

    • SSDEEP

      1536:mGpouhuhkoWnR16e25SEhTMSj/kwgDmVKfY3wKEp8EgIbsW9d7B9dleMPQUlRH6:khkoa6ebEhoSNzVK0wKEpf19VMMoe6

    Score
    10/10
    • Ryuk

      Ransomware distributed via existing botnets, often Trickbot or Emotet.

    • Detects command variations typically used by ransomware

    • Renames multiple (2584) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops desktop.ini file(s)

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.