win.ryuk (Back to overview)

Ryuk

Actor(s): FIN6, GRIM SPIDER, WIZARD SPIDER

Ryuk is a ransomware which encrypts its victim's files and asks for a ransom via bitcoin to release the original files. It is has been observed being used to attack companies or professional environments. Cybersecurity experts figured out that Ryuk and Hermes ransomware shares pieces of codes. Hermes is commodity ransomware that has been observed for sale on dark-net forums and used by multiple threat actors.

References
2020-01-14 ⋅ Bleeping ComputerLawrence Abrams
@online{abrams:20200114:ryuk:b2e47fa, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices}}, date = {2020-01-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/}, language = {English}, urldate = {2020-01-15} } Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices
Ryuk
2019-12-26 ⋅ Bleeping ComputerLawrence Abrams
@online{abrams:20191226:ryuk:acc2284, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Stops Encrypting Linux Folders}}, date = {2019-12-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/}, language = {English}, urldate = {2020-01-08} } Ryuk Ransomware Stops Encrypting Linux Folders
Ryuk
2019-12-21 ⋅ DecryptAdriana Hamacher
@online{hamacher:20191221:how:9d026a8, author = {Adriana Hamacher}, title = {{How ransomware exploded in the age of Bitcoin}}, date = {2019-12-21}, organization = {Decrypt}, url = {https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc}, language = {English}, urldate = {2020-01-13} } How ransomware exploded in the age of Bitcoin
Ryuk
2019-12-19 ⋅ MalwarebytesJovi Umawing
@online{umawing:20191219:threat:552a941, author = {Jovi Umawing}, title = {{Threat spotlight: the curious case of Ryuk ransomware}}, date = {2019-12-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/}, language = {English}, urldate = {2020-01-08} } Threat spotlight: the curious case of Ryuk ransomware
Ryuk
2019-12-15 ⋅ Bleeping ComputerLawrence Abrams
@online{abrams:20191215:ryuk:74f6eab, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Likely Behind New Orleans Cyberattack}}, date = {2019-12-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/}, language = {English}, urldate = {2020-01-13} } Ryuk Ransomware Likely Behind New Orleans Cyberattack
Ryuk
2019-12-09 ⋅ EmsisoftEmsiSoft Malware Lab
@online{lab:20191209:caution:05ff83a, author = {EmsiSoft Malware Lab}, title = {{Caution! Ryuk Ransomware decryptor damages larger files, even if you pay}}, date = {2019-12-09}, organization = {Emsisoft}, url = {https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/}, language = {English}, urldate = {2020-01-07} } Caution! Ryuk Ransomware decryptor damages larger files, even if you pay
Ryuk
2019-11-27 ⋅ Twitter (@Prosegur)Prosegur
@online{prosegur:20191127:incident:bd76c3f, author = {Prosegur}, title = {{Tweet on Incident of Information Security}}, date = {2019-11-27}, organization = {Twitter (@Prosegur)}, url = {https://twitter.com/Prosegur/status/1199732264386596864}, language = {English}, urldate = {2020-01-09} } Tweet on Incident of Information Security
Ryuk
2019-11-06 ⋅ Heise SecurityThomas Hungenberg
@online{hungenberg:20191106:emotet:1605954, author = {Thomas Hungenberg}, title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}}, date = {2019-11-06}, organization = {Heise Security}, url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html}, language = {German}, urldate = {2020-01-06} } Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot
2019-11 ⋅ CCN-CERTCCN-CERT
@online{ccncert:201911:informe:69b39b5, author = {CCN-CERT}, title = {{Informe Código Dañino CCN-CERT ID-26/19}}, date = {2019-11}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html}, language = {Espanyol}, urldate = {2020-01-10} } Informe Código Dañino CCN-CERT ID-26/19
Ryuk
2019-11-01 ⋅ CrowdStrikeAlexander Hanel, Brett Stone-Gross
@online{hanel:20191101:wizard:a34a09e, author = {Alexander Hanel and Brett Stone-Gross}, title = {{WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN}}, date = {2019-11-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/}, language = {English}, urldate = {2019-12-20} } WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN
Ryuk WIZARD SPIDER
2019-05-09 ⋅ GovCERT.chGovCERT.ch
@online{govcertch:20190509:severe:2767782, author = {GovCERT.ch}, title = {{Severe Ransomware Attacks Against Swiss SMEs}}, date = {2019-05-09}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes}, language = {English}, urldate = {2019-07-11} } Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot
2019-04-05 ⋅ FireEyeBrendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson, Douglas Bienstock
@online{mckeague:20190405:picksix:d101a59, author = {Brendan McKeague and Van Ta and Ben Fedore and Geoff Ackerman and Alex Pennino and Andrew Thompson and Douglas Bienstock}, title = {{Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware}}, date = {2019-04-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html}, language = {English}, urldate = {2019-12-20} } Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
LockerGoga Ryuk FIN6
2019-04-02 ⋅ CybereasonNoa Pinkas, Lior Rochberger, Matan Zatz
@online{pinkas:20190402:triple:10a3e37, author = {Noa Pinkas and Lior Rochberger and Matan Zatz}, title = {{Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk}}, date = {2019-04-02}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware}, language = {English}, urldate = {2020-01-09} } Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk
Ryuk TrickBot
2019-03-26 ⋅ ANSSIANSSI
@techreport{anssi:20190326:informations:7965c3d, author = {ANSSI}, title = {{INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK}}, date = {2019-03-26}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf}, language = {French}, urldate = {2020-01-10} } INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK
Ryuk
2019-01-11 ⋅ FireEyeKimberly Goody, Jeremy Kennelly, Jaideep Natu, Christopher Glyer
@online{goody:20190111:nasty:3c872d4, author = {Kimberly Goody and Jeremy Kennelly and Jaideep Natu and Christopher Glyer}, title = {{A Nasty Trick: From Credential Theft Malware to Business Disruption}}, date = {2019-01-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html}, language = {English}, urldate = {2019-12-20} } A Nasty Trick: From Credential Theft Malware to Business Disruption
Ryuk TrickBot GRIM SPIDER WIZARD SPIDER
2019-01-10 ⋅ CrowdStrikeAlexander Hanel
@online{hanel:20190110:big:7e10bdf, author = {Alexander Hanel}, title = {{Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware}}, date = {2019-01-10}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/}, language = {English}, urldate = {2019-12-20} } Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware
Ryuk GRIM SPIDER MUMMY SPIDER STARDUST CHOLLIMA WIZARD SPIDER
2019-01-09 ⋅ McAfeeJohn Fokker, Christiaan Beek
@online{fokker:20190109:ryuk:350f477, author = {John Fokker and Christiaan Beek}, title = {{Ryuk Ransomware Attack: Rush to Attribution Misses the Point}}, date = {2019-01-09}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/}, language = {English}, urldate = {2020-01-09} } Ryuk Ransomware Attack: Rush to Attribution Misses the Point
Ryuk
2019 ⋅ Virus BulletinGabriela Nicolao, Luciano Martins
@techreport{nicolao:2019:shinigamis:8397861, author = {Gabriela Nicolao and Luciano Martins}, title = {{Shinigami's Revenge: The Long Tail of Ryuk Malware}}, date = {2019}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf}, language = {English}, urldate = {2020-01-05} } Shinigami's Revenge: The Long Tail of Ryuk Malware
Ryuk
2018-12-29 ⋅ Los Angeles TimesTony Barboza, Meg James, Emily Alpert Reyes
@online{barboza:20181229:malware:d5d8d0d, author = {Tony Barboza and Meg James and Emily Alpert Reyes}, title = {{Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.}}, date = {2018-12-29}, organization = {Los Angeles Times}, url = {https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html}, language = {English}, urldate = {2020-01-10} } Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.
Ryuk
2018-08-20 ⋅ Check PointItay Cohen, Ben Herzog
@online{cohen:20180820:ryuk:5756495, author = {Itay Cohen and Ben Herzog}, title = {{Ryuk Ransomware: A Targeted Campaign Break-Down}}, date = {2018-08-20}, organization = {Check Point}, url = {https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/}, language = {English}, urldate = {2019-12-10} } Ryuk Ransomware: A Targeted Campaign Break-Down
Ryuk
Yara Rules
[TLP:WHITE] win_ryuk_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule win_ryuk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { c3 4053 4883ec20 8bc1 498bd8 33c9 4c8bda }
            // n = 7, score = 600
            //   c3                   | dec                 eax
            //   4053                 | mov                 eax, ebx
            //   4883ec20             | dec                 eax
            //   8bc1                 | add                 esp, 0x30
            //   498bd8               | pop                 ebx
            //   33c9                 | ret                 
            //   4c8bda               | dec                 eax

        $sequence_1 = { 415e c3 4053 4883ec20 488bd9 33c9 48890b }
            // n = 7, score = 600
            //   415e                 | mov                 dword ptr [esp + 8], ebx
            //   c3                   | dec                 eax
            //   4053                 | mov                 dword ptr [esp + 0x10], ebp
            //   4883ec20             | ret                 
            //   488bd9               | inc                 eax
            //   33c9                 | push                ebx
            //   48890b               | dec                 eax

        $sequence_2 = { ff15???????? b803000000 eb05 b805000000 }
            // n = 4, score = 600
            //   ff15????????         |                     
            //   b803000000           | sub                 esp, 0x20
            //   eb05                 | mov                 eax, ecx
            //   b805000000           | dec                 ecx

        $sequence_3 = { 4983c8ff e8???????? 488bc3 4883c430 5b c3 48895c2408 }
            // n = 7, score = 600
            //   4983c8ff             | dec                 ecx
            //   e8????????           |                     
            //   488bc3               | or                  eax, 0xffffffff
            //   4883c430             | dec                 eax
            //   5b                   | mov                 eax, ebx
            //   c3                   | dec                 eax
            //   48895c2408           | add                 esp, 0x30

        $sequence_4 = { e8???????? e8???????? b9e8030000 ff15???????? }
            // n = 4, score = 600
            //   e8????????           |                     
            //   e8????????           |                     
            //   b9e8030000           | jmp                 0xc
            //   ff15????????         |                     

        $sequence_5 = { b809000000 e9???????? 4533c9 4533c0 }
            // n = 4, score = 600
            //   b809000000           | pop                 ebx
            //   e9????????           |                     
            //   4533c9               | ret                 
            //   4533c0               | dec                 eax

        $sequence_6 = { 4c8d05???????? 488d15???????? 488d0d???????? ff15???????? 85c0 }
            // n = 5, score = 600
            //   4c8d05????????       |                     
            //   488d15????????       |                     
            //   488d0d????????       |                     
            //   ff15????????         |                     
            //   85c0                 | dec                 eax

        $sequence_7 = { eb04 4883c020 4883c428 c3 48895c2408 57 4883ec30 }
            // n = 7, score = 600
            //   eb04                 | inc                 eax
            //   4883c020             | push                ebx
            //   4883c428             | dec                 eax
            //   c3                   | sub                 esp, 0x20
            //   48895c2408           | mov                 eax, ecx
            //   57                   | dec                 ecx
            //   4883ec30             | mov                 ebx, eax

        $sequence_8 = { 50 e8???????? 50 57 6800000030 e8???????? }
            // n = 6, score = 400
            //   50                   | push                eax
            //   e8????????           |                     
            //   50                   | push                eax
            //   57                   | push                edi
            //   6800000030           | push                0x30000000
            //   e8????????           |                     

        $sequence_9 = { 6800000030 e8???????? 83c408 85c0 }
            // n = 4, score = 400
            //   6800000030           | push                0x30000000
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax

        $sequence_10 = { b900000030 2bc1 50 51 e8???????? 59 }
            // n = 6, score = 400
            //   b900000030           | mov                 ecx, 0x30000000
            //   2bc1                 | sub                 eax, ecx
            //   50                   | push                eax
            //   51                   | push                ecx
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_11 = { 8b4508 2d00000030 50 6800000030 e8???????? }
            // n = 5, score = 400
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   2d00000030           | sub                 eax, 0x30000000
            //   50                   | push                eax
            //   6800000030           | push                0x30000000
            //   e8????????           |                     

        $sequence_12 = { 8d45f0 64a300000000 8965e8 c745fc00000000 6800000030 }
            // n = 5, score = 400
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8965e8               | mov                 dword ptr [ebp - 0x18], esp
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   6800000030           | push                0x30000000

        $sequence_13 = { c745fc00000000 6800000030 e8???????? 83c404 85c0 7454 8b4508 }
            // n = 7, score = 400
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   6800000030           | push                0x30000000
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   85c0                 | test                eax, eax
            //   7454                 | je                  0x56
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_14 = { 6823110030 51 e8???????? 8bf0 }
            // n = 4, score = 300
            //   6823110030           | push                0x30001123
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_15 = { 754f b90b010000 66398818000030 7541 8b4508 b900000030 2bc1 }
            // n = 7, score = 300
            //   754f                 | jne                 0x51
            //   b90b010000           | mov                 ecx, 0x10b
            //   66398818000030       | cmp                 word ptr [eax + 0x30000018], cx
            //   7541                 | jne                 0x43
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   b900000030           | mov                 ecx, 0x30000000
            //   2bc1                 | sub                 eax, ecx

        $sequence_16 = { 8d0c49 c1e103 51 6a00 }
            // n = 4, score = 200
            //   8d0c49               | lea                 ecx, [ecx + ecx*2]
            //   c1e103               | shl                 ecx, 3
            //   51                   | push                ecx
            //   6a00                 | push                0

        $sequence_17 = { 6a00 ffd6 6800400000 6a40 }
            // n = 4, score = 200
            //   6a00                 | push                0
            //   ffd6                 | call                esi
            //   6800400000           | push                0x4000
            //   6a40                 | push                0x40

        $sequence_18 = { 57 ff15???????? b80c000000 5f }
            // n = 4, score = 200
            //   57                   | push                edi
            //   ff15????????         |                     
            //   b80c000000           | mov                 eax, 0xc
            //   5f                   | pop                 edi

        $sequence_19 = { 2bf0 33c0 66890473 83ffff }
            // n = 4, score = 200
            //   2bf0                 | sub                 esi, eax
            //   33c0                 | xor                 eax, eax
            //   66890473             | mov                 word ptr [ebx + esi*2], ax
            //   83ffff               | cmp                 edi, -1

        $sequence_20 = { 6a00 ff15???????? 6a00 6a02 6a03 6a00 }
            // n = 6, score = 200
            //   6a00                 | sub                 eax, ecx
            //   ff15????????         |                     
            //   6a00                 | push                eax
            //   6a02                 | push                ecx
            //   6a03                 | add                 esp, 4
            //   6a00                 | test                eax, eax

        $sequence_21 = { c20400 8bff 55 8bec b8ffff0000 83ec18 }
            // n = 6, score = 200
            //   c20400               | push                eax
            //   8bff                 | push                ecx
            //   55                   | mov                 eax, dword ptr [ebp + 8]
            //   8bec                 | mov                 ecx, 0x30000000
            //   b8ffff0000           | sub                 eax, ecx
            //   83ec18               | push                eax

        $sequence_22 = { 6a0a c1e818 51 50 }
            // n = 4, score = 200
            //   6a0a                 | push                0xa
            //   c1e818               | shr                 eax, 0x18
            //   51                   | push                ecx
            //   50                   | push                eax

        $sequence_23 = { ff15???????? b808000000 5f 5e }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   b808000000           | mov                 eax, 8
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_24 = { 7e19 ff734c 4e 0fbe0406 }
            // n = 4, score = 100
            //   7e19                 | jle                 0x1b
            //   ff734c               | push                dword ptr [ebx + 0x4c]
            //   4e                   | dec                 esi
            //   0fbe0406             | movsx               eax, byte ptr [esi + eax]

        $sequence_25 = { 0f849e000000 833e00 0f8595000000 6a44 e8???????? }
            // n = 5, score = 100
            //   0f849e000000         | je                  0xa4
            //   833e00               | cmp                 dword ptr [esi], 0
            //   0f8595000000         | jne                 0x9b
            //   6a44                 | push                0x44
            //   e8????????           |                     

    condition:
        7 of them
}
Download all Yara Rules