SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ryuk (Back to overview)

Ryuk

Actor(s): FIN6, GRIM SPIDER, WIZARD SPIDER


Ryuk is a ransomware which encrypts its victim's files and asks for a ransom via bitcoin to release the original files. It is has been observed being used to attack companies or professional environments. Cybersecurity experts figured out that Ryuk and Hermes ransomware shares pieces of codes. Hermes is commodity ransomware that has been observed for sale on dark-net forums and used by multiple threat actors.

References
2020-09-01Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends in Summer 2020}}, date = {2020-09-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html}, language = {English}, urldate = {2020-09-03} } Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-08-18AreteArete Incident Response
@techreport{response:20200818:is:72e08da, author = {Arete Incident Response}, title = {{Is Conti the New Ryuk?}}, date = {2020-08-18}, institution = {Arete}, url = {https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf}, language = {English}, urldate = {2020-08-25} } Is Conti the New Ryuk?
Conti Ransomware Ryuk
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-06-23Bleeping ComputerIonut Ilascu
@online{ilascu:20200623:ryuk:c63b0c6, author = {Ionut Ilascu}, title = {{Ryuk ransomware deployed two weeks after Trickbot infection}}, date = {2020-06-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/}, language = {English}, urldate = {2020-06-30} } Ryuk ransomware deployed two weeks after Trickbot infection
Ryuk
2020-06-15Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200615:quarterly:c2dcd77, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly report: Incident Response trends in Summer 2020}}, date = {2020-06-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more}, language = {English}, urldate = {2020-06-19} } Quarterly report: Incident Response trends in Summer 2020
Ryuk
2020-05-05N1ght-W0lf BlogAbdallah Elshinbary
@online{elshinbary:20200505:deep:f5661cb, author = {Abdallah Elshinbary}, title = {{Deep Analysis of Ryuk Ransomware}}, date = {2020-05-05}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/}, language = {English}, urldate = {2020-05-10} } Deep Analysis of Ryuk Ransomware
Ryuk
2020-04-19SecurityLiterateKyle Cucci
@online{cucci:20200419:reversing:4523233, author = {Kyle Cucci}, title = {{Reversing Ryuk: A Technical Analysis of Ryuk Ransomware}}, date = {2020-04-19}, organization = {SecurityLiterate}, url = {https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/}, language = {English}, urldate = {2020-08-13} } Reversing Ryuk: A Technical Analysis of Ryuk Ransomware
Ryuk
2020-04-14Intel 471Intel 471
@online{471:20200414:understanding:ca95961, author = {Intel 471}, title = {{Understanding the relationship between Emotet, Ryuk and TrickBot}}, date = {2020-04-14}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/}, language = {English}, urldate = {2020-04-26} } Understanding the relationship between Emotet, Ryuk and TrickBot
Emotet Ryuk TrickBot
2020-03-31FireEyeVan Ta, Aaron Stephens
@online{ta:20200331:its:632dfca, author = {Van Ta and Aaron Stephens}, title = {{It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit}}, date = {2020-03-31}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html}, language = {English}, urldate = {2020-04-06} } It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit
Ryuk TrickBot
2020-03-25Wilbur SecurityJW
@online{jw:20200325:trickbot:17b0dc3, author = {JW}, title = {{Trickbot to Ryuk in Two Hours}}, date = {2020-03-25}, organization = {Wilbur Security}, url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/}, language = {English}, urldate = {2020-03-26} } Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-04Bleeping ComputerLawrence Abrams
@online{abrams:20200304:ryuk:31f2ce0, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection}}, date = {2020-03-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/}, language = {English}, urldate = {2020-03-09} } Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection
Ryuk TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-03-02c'tChristian Wölbert
@online{wlbert:20200302:was:1b9cc93, author = {Christian Wölbert}, title = {{Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen}}, date = {2020-03-02}, organization = {c't}, url = {https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html}, language = {German}, urldate = {2020-03-02} } Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen
Emotet Ryuk
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus
2020-02-10MalwarebytesAdam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
@techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } 2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-29ZDNetCatalin Cimpanu
@online{cimpanu:20200129:dod:57de65d, author = {Catalin Cimpanu}, title = {{DOD contractor suffers ransomware infection}}, date = {2020-01-29}, organization = {ZDNet}, url = {https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/}, language = {English}, urldate = {2020-02-03} } DOD contractor suffers ransomware infection
Ryuk
2020-01-24ReversingLabsRobert Simmons
@online{simmons:20200124:hunting:f99f1f9, author = {Robert Simmons}, title = {{Hunting for Ransomware}}, date = {2020-01-24}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/hunting-for-ransomware}, language = {English}, urldate = {2020-01-29} } Hunting for Ransomware
Ryuk
2020-01-24Bleeping ComputerLawrence Abrams
@online{abrams:20200124:new:05d5a6a, author = {Lawrence Abrams}, title = {{New Ryuk Info Stealer Targets Government and Military Secrets}}, date = {2020-01-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/}, language = {English}, urldate = {2020-02-03} } New Ryuk Info Stealer Targets Government and Military Secrets
Ryuk
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos Ransomware REvil Ryuk SamSam Scarab Ransomware
2020-01-14Bleeping ComputerLawrence Abrams
@online{abrams:20200114:ryuk:b2e47fa, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices}}, date = {2020-01-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/}, language = {English}, urldate = {2020-01-15} } Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices
Ryuk
2020SecureworksSecureWorks
@online{secureworks:2020:gold:d8faa3e, author = {SecureWorks}, title = {{GOLD ULRICK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-ulrick}, language = {English}, urldate = {2020-05-23} } GOLD ULRICK
Empire Downloader Ryuk TrickBot WIZARD SPIDER
2019-12-26Bleeping ComputerLawrence Abrams
@online{abrams:20191226:ryuk:acc2284, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Stops Encrypting Linux Folders}}, date = {2019-12-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/}, language = {English}, urldate = {2020-01-08} } Ryuk Ransomware Stops Encrypting Linux Folders
Ryuk
2019-12-21DecryptAdriana Hamacher
@online{hamacher:20191221:how:9d026a8, author = {Adriana Hamacher}, title = {{How ransomware exploded in the age of Bitcoin}}, date = {2019-12-21}, organization = {Decrypt}, url = {https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc}, language = {English}, urldate = {2020-01-13} } How ransomware exploded in the age of Bitcoin
Ryuk
2019-12-19MalwarebytesJovi Umawing
@online{umawing:20191219:threat:552a941, author = {Jovi Umawing}, title = {{Threat spotlight: the curious case of Ryuk ransomware}}, date = {2019-12-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/}, language = {English}, urldate = {2020-01-08} } Threat spotlight: the curious case of Ryuk ransomware
Ryuk
2019-12-15Bleeping ComputerLawrence Abrams
@online{abrams:20191215:ryuk:74f6eab, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Likely Behind New Orleans Cyberattack}}, date = {2019-12-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/}, language = {English}, urldate = {2020-01-13} } Ryuk Ransomware Likely Behind New Orleans Cyberattack
Ryuk
2019-12-09EmsisoftEmsiSoft Malware Lab
@online{lab:20191209:caution:05ff83a, author = {EmsiSoft Malware Lab}, title = {{Caution! Ryuk Ransomware decryptor damages larger files, even if you pay}}, date = {2019-12-09}, organization = {Emsisoft}, url = {https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/}, language = {English}, urldate = {2020-01-07} } Caution! Ryuk Ransomware decryptor damages larger files, even if you pay
Ryuk
2019-11-27Twitter (@Prosegur)Prosegur
@online{prosegur:20191127:incident:bd76c3f, author = {Prosegur}, title = {{Tweet on Incident of Information Security}}, date = {2019-11-27}, organization = {Twitter (@Prosegur)}, url = {https://twitter.com/Prosegur/status/1199732264386596864}, language = {English}, urldate = {2020-01-09} } Tweet on Incident of Information Security
Ryuk
2019-11-06Heise SecurityThomas Hungenberg
@online{hungenberg:20191106:emotet:1605954, author = {Thomas Hungenberg}, title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}}, date = {2019-11-06}, organization = {Heise Security}, url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html}, language = {German}, urldate = {2020-01-06} } Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot
2019-11-01CrowdStrikeAlexander Hanel, Brett Stone-Gross
@online{hanel:20191101:wizard:a34a09e, author = {Alexander Hanel and Brett Stone-Gross}, title = {{WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN}}, date = {2019-11-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/}, language = {English}, urldate = {2019-12-20} } WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN
Ryuk WIZARD SPIDER
2019-11CCN-CERTCCN-CERT
@online{ccncert:201911:informe:69b39b5, author = {CCN-CERT}, title = {{Informe Código Dañino CCN-CERT ID-26/19}}, date = {2019-11}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html}, language = {Espanyol}, urldate = {2020-01-10} } Informe Código Dañino CCN-CERT ID-26/19
Ryuk
2019-05-09GovCERT.chGovCERT.ch
@online{govcertch:20190509:severe:2767782, author = {GovCERT.ch}, title = {{Severe Ransomware Attacks Against Swiss SMEs}}, date = {2019-05-09}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes}, language = {English}, urldate = {2019-07-11} } Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot
2019-04-05FireEyeBrendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson, Douglas Bienstock
@online{mckeague:20190405:picksix:d101a59, author = {Brendan McKeague and Van Ta and Ben Fedore and Geoff Ackerman and Alex Pennino and Andrew Thompson and Douglas Bienstock}, title = {{Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware}}, date = {2019-04-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html}, language = {English}, urldate = {2019-12-20} } Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
LockerGoga Ryuk FIN6
2019-04-02CybereasonNoa Pinkas, Lior Rochberger, Matan Zatz
@online{pinkas:20190402:triple:10a3e37, author = {Noa Pinkas and Lior Rochberger and Matan Zatz}, title = {{Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk}}, date = {2019-04-02}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware}, language = {English}, urldate = {2020-01-09} } Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk
Ryuk TrickBot
2019-03-26ANSSIANSSI
@techreport{anssi:20190326:informations:7965c3d, author = {ANSSI}, title = {{INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK}}, date = {2019-03-26}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf}, language = {French}, urldate = {2020-01-10} } INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK
Ryuk
2019-01-11FireEyeKimberly Goody, Jeremy Kennelly, Jaideep Natu, Christopher Glyer
@online{goody:20190111:nasty:3c872d4, author = {Kimberly Goody and Jeremy Kennelly and Jaideep Natu and Christopher Glyer}, title = {{A Nasty Trick: From Credential Theft Malware to Business Disruption}}, date = {2019-01-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html}, language = {English}, urldate = {2019-12-20} } A Nasty Trick: From Credential Theft Malware to Business Disruption
Ryuk TrickBot GRIM SPIDER WIZARD SPIDER
2019-01-10CrowdStrikeAlexander Hanel
@online{hanel:20190110:big:7e10bdf, author = {Alexander Hanel}, title = {{Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware}}, date = {2019-01-10}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/}, language = {English}, urldate = {2019-12-20} } Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware
Ryuk GRIM SPIDER MUMMY SPIDER STARDUST CHOLLIMA WIZARD SPIDER
2019-01-09McAfeeJohn Fokker, Christiaan Beek
@online{fokker:20190109:ryuk:350f477, author = {John Fokker and Christiaan Beek}, title = {{Ryuk Ransomware Attack: Rush to Attribution Misses the Point}}, date = {2019-01-09}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/}, language = {English}, urldate = {2020-01-09} } Ryuk Ransomware Attack: Rush to Attribution Misses the Point
Ryuk
2019Virus BulletinGabriela Nicolao, Luciano Martins
@techreport{nicolao:2019:shinigamis:8397861, author = {Gabriela Nicolao and Luciano Martins}, title = {{Shinigami's Revenge: The Long Tail of Ryuk Malware}}, date = {2019}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf}, language = {English}, urldate = {2020-01-05} } Shinigami's Revenge: The Long Tail of Ryuk Malware
Ryuk
2018-12-29Los Angeles TimesTony Barboza, Meg James, Emily Alpert Reyes
@online{barboza:20181229:malware:d5d8d0d, author = {Tony Barboza and Meg James and Emily Alpert Reyes}, title = {{Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.}}, date = {2018-12-29}, organization = {Los Angeles Times}, url = {https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html}, language = {English}, urldate = {2020-01-10} } Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.
Ryuk
2018-08-20Check PointItay Cohen, Ben Herzog
@online{cohen:20180820:ryuk:5756495, author = {Itay Cohen and Ben Herzog}, title = {{Ryuk Ransomware: A Targeted Campaign Break-Down}}, date = {2018-08-20}, organization = {Check Point}, url = {https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/}, language = {English}, urldate = {2019-12-10} } Ryuk Ransomware: A Targeted Campaign Break-Down
Ryuk
Yara Rules
[TLP:WHITE] win_ryuk_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_ryuk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? e8???????? b9e8030000 ff15???????? }
            // n = 4, score = 700
            //   e8????????           |                     
            //   e8????????           |                     
            //   b9e8030000           | mov                 ecx, 0x3e8
            //   ff15????????         |                     

        $sequence_1 = { ff15???????? b803000000 eb05 b805000000 }
            // n = 4, score = 700
            //   ff15????????         |                     
            //   b803000000           | mov                 eax, 3
            //   eb05                 | jmp                 7
            //   b805000000           | mov                 eax, 5

        $sequence_2 = { ff15???????? b809000000 e9???????? 4533c9 }
            // n = 4, score = 600
            //   ff15????????         |                     
            //   b809000000           | push                edi
            //   e9????????           |                     
            //   4533c9               | dec                 eax

        $sequence_3 = { 498bc1 c3 4053 4883ec20 8bc1 }
            // n = 5, score = 600
            //   498bc1               | push                edi
            //   c3                   | dec                 eax
            //   4053                 | sub                 esp, 0x30
            //   4883ec20             | and                 dword ptr [esp + 0x20], 0
            //   8bc1                 | dec                 ecx

        $sequence_4 = { 4883c020 4883c428 c3 48895c2408 57 4883ec30 8364242000 }
            // n = 7, score = 600
            //   4883c020             | dec                 eax
            //   4883c428             | add                 eax, 0x20
            //   c3                   | dec                 eax
            //   48895c2408           | add                 esp, 0x28
            //   57                   | ret                 
            //   4883ec30             | dec                 eax
            //   8364242000           | mov                 dword ptr [esp + 8], ebx

        $sequence_5 = { 68???????? 6a01 6a00 6814010000 }
            // n = 4, score = 600
            //   68????????           |                     
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   6814010000           | push                0x114

        $sequence_6 = { 488bc3 4883c430 5b c3 48895c2408 48896c2410 }
            // n = 6, score = 600
            //   488bc3               | sub                 esp, 0x30
            //   4883c430             | and                 dword ptr [esp + 0x20], 0
            //   5b                   | mov                 ecx, 8
            //   c3                   | mov                 eax, 9
            //   48895c2408           | inc                 ebp
            //   48896c2410           | xor                 ecx, ecx

        $sequence_7 = { 48897c2430 488d4c2440 c744242802000000 4533c9 4533c0 c744242002000000 ba000000c0 }
            // n = 7, score = 500
            //   48897c2430           | pop                 ebp
            //   488d4c2440           | ret                 
            //   c744242802000000     | push                8
            //   4533c9               | push                esi
            //   4533c0               | jne                 0x3a
            //   c744242002000000     | push                edi
            //   ba000000c0           | push                ebx

        $sequence_8 = { 85c0 7508 6a01 ff15???????? 68???????? 6a01 }
            // n = 6, score = 500
            //   85c0                 | test                eax, eax
            //   7508                 | jne                 0xa
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   68????????           |                     
            //   6a01                 | push                1

        $sequence_9 = { 4885d2 7423 8078ff48 751d 803845 7518 80780152 }
            // n = 7, score = 500
            //   4885d2               | pop                 ebp
            //   7423                 | ret                 
            //   8078ff48             | mov                 edi, edi
            //   751d                 | ret                 4
            //   803845               | mov                 edi, edi
            //   7518                 | push                ebp
            //   80780152             | mov                 ebp, esp

        $sequence_10 = { ff15???????? 488bd8 ff15???????? 83f820 7510 488bcb }
            // n = 6, score = 500
            //   ff15????????         |                     
            //   488bd8               | sub                 esp, 0x30
            //   ff15????????         |                     
            //   83f820               | and                 dword ptr [esp + 0x20], 0
            //   7510                 | mov                 ecx, 8
            //   488bcb               | mov                 eax, 9

        $sequence_11 = { 41b900800000 4533c0 488bd6 488bcf ff15???????? }
            // n = 5, score = 500
            //   41b900800000         | mov                 edi, dword ptr [esp + 8]
            //   4533c0               | dec                 ecx
            //   488bd6               | mov                 eax, ecx
            //   488bcf               | ret                 
            //   ff15????????         |                     

        $sequence_12 = { 4533c0 c744242003000000 ba00000040 ff15???????? }
            // n = 4, score = 500
            //   4533c0               | jne                 0x32
            //   c744242003000000     | push                0x28
            //   ba00000040           | push                esi
            //   ff15????????         |                     

        $sequence_13 = { ff15???????? 448b442468 33d2 b9ffff1f00 ff15???????? }
            // n = 5, score = 500
            //   ff15????????         |                     
            //   448b442468           | push                edi
            //   33d2                 | test                eax, eax
            //   b9ffff1f00           | jne                 0x6a
            //   ff15????????         |                     

        $sequence_14 = { 8bc1 2bc2 d1e8 03c2 c1e806 6bc05a }
            // n = 6, score = 500
            //   8bc1                 | inc                 eax
            //   2bc2                 | push                ebx
            //   d1e8                 | dec                 eax
            //   03c2                 | sub                 esp, 0x20
            //   c1e806               | mov                 eax, ecx
            //   6bc05a               | dec                 eax

        $sequence_15 = { e9???????? 6a04 6800100000 6810270000 }
            // n = 4, score = 400
            //   e9????????           |                     
            //   6a04                 | push                4
            //   6800100000           | push                0x1000
            //   6810270000           | push                0x2710

        $sequence_16 = { 7407 48 85c0 7ff0 }
            // n = 4, score = 400
            //   7407                 | je                  9
            //   48                   | dec                 eax
            //   85c0                 | test                eax, eax
            //   7ff0                 | jg                  0xfffffff2

        $sequence_17 = { ff7508 e8???????? 5e 5d c3 6a08 68???????? }
            // n = 7, score = 400
            //   ff7508               | ret                 
            //   e8????????           |                     
            //   5e                   | inc                 eax
            //   5d                   | push                ebx
            //   c3                   | dec                 eax
            //   6a08                 | sub                 esp, 0x20
            //   68????????           |                     

        $sequence_18 = { 0f9fc0 5d c3 8bff 55 8bec 8b4508 }
            // n = 7, score = 400
            //   0f9fc0               | shr                 eax, 1
            //   5d                   | add                 eax, edx
            //   c3                   | shr                 eax, 6
            //   8bff                 | imul                eax, eax, 0x5a
            //   55                   | mul                 ecx
            //   8bec                 | mov                 eax, ecx
            //   8b4508               | sub                 eax, edx

        $sequence_19 = { 488d0d63080000 e8???????? e8???????? 8bc8 e8???????? 85c0 7556 }
            // n = 7, score = 400
            //   488d0d63080000       | dec                 eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   8bc8                 | mov                 dword ptr [esp + 8], ebx
            //   e8????????           |                     
            //   85c0                 | push                edi
            //   7556                 | dec                 eax

        $sequence_20 = { c20400 8bff 55 8bec b8ffff0000 83ec18 66394508 }
            // n = 7, score = 400
            //   c20400               | pop                 ebx
            //   8bff                 | ret                 
            //   55                   | dec                 eax
            //   8bec                 | mov                 dword ptr [esp + 8], ebx
            //   b8ffff0000           | dec                 eax
            //   83ec18               | mov                 dword ptr [esp + 0x10], ebp
            //   66394508             | jmp                 6

        $sequence_21 = { e8???????? 84c0 746c e8???????? 488d0d63080000 e8???????? e8???????? }
            // n = 7, score = 400
            //   e8????????           |                     
            //   84c0                 | dec                 eax
            //   746c                 | mov                 dword ptr [esp + 0x10], ebp
            //   e8????????           |                     
            //   488d0d63080000       | ret                 
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_22 = { 8d7602 6685c9 75f1 5e 5d c3 8bff }
            // n = 7, score = 400
            //   8d7602               | add                 eax, edx
            //   6685c9               | shr                 eax, 6
            //   75f1                 | imul                eax, eax, 0x5a
            //   5e                   | mov                 eax, 0x6c16c16d
            //   5d                   | mul                 ecx
            //   c3                   | mov                 eax, ecx
            //   8bff                 | sub                 eax, edx

        $sequence_23 = { ff15???????? 56 ff15???????? be14010000 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   be14010000           | mov                 esi, 0x114

        $sequence_24 = { 6a04 53 53 6800000040 56 ff15???????? 8bf8 }
            // n = 7, score = 300
            //   6a04                 | push                4
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   6800000040           | push                0x40000000
            //   56                   | push                esi
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_25 = { 6a00 ff15???????? 6a00 6a02 6a03 }
            // n = 5, score = 300
            //   6a00                 | shr                 eax, 1
            //   ff15????????         |                     
            //   6a00                 | add                 eax, edx
            //   6a02                 | shr                 eax, 6
            //   6a03                 | shr                 eax, 1

        $sequence_26 = { 85c0 751c 6a08 56 68???????? 57 53 }
            // n = 7, score = 300
            //   85c0                 | test                eax, eax
            //   751c                 | jne                 0x1e
            //   6a08                 | push                8
            //   56                   | push                esi
            //   68????????           |                     
            //   57                   | push                edi
            //   53                   | push                ebx

        $sequence_27 = { 6a08 6a18 68???????? 68???????? 68???????? ff15???????? 85c0 }
            // n = 7, score = 300
            //   6a08                 | jne                 0x12
            //   6a18                 | dec                 eax
            //   68????????           |                     
            //   68????????           |                     
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | mov                 ecx, ebx

        $sequence_28 = { 53 ff15???????? 85c0 7554 6a10 56 68???????? }
            // n = 7, score = 300
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7554                 | jne                 0x56
            //   6a10                 | push                0x10
            //   56                   | push                esi
            //   68????????           |                     

        $sequence_29 = { 8d0c49 c1e103 51 6a00 }
            // n = 4, score = 200
            //   8d0c49               | lea                 ecx, [ecx + ecx*2]
            //   c1e103               | shl                 ecx, 3
            //   51                   | push                ecx
            //   6a00                 | push                0

        $sequence_30 = { ba01000000 d1e2 8b45d0 0fb60c10 b8ff000000 2bc1 c1e008 }
            // n = 7, score = 200
            //   ba01000000           | mov                 ebp, esp
            //   d1e2                 | mov                 eax, 0xffff
            //   8b45d0               | sub                 esp, 0x18
            //   0fb60c10             | cmp                 word ptr [ebp + 8], ax
            //   b8ff000000           | pop                 edi
            //   2bc1                 | pop                 ebp
            //   c1e008               | ret                 4

        $sequence_31 = { 6a0a c1e818 51 50 }
            // n = 4, score = 200
            //   6a0a                 | push                0xa
            //   c1e818               | shr                 eax, 0x18
            //   51                   | push                ecx
            //   50                   | push                eax

        $sequence_32 = { 57 ff15???????? b80c000000 5f 5e }
            // n = 5, score = 200
            //   57                   | push                edi
            //   ff15????????         |                     
            //   b80c000000           | mov                 eax, 0xc
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_33 = { 51 6a00 ffd6 6800400000 }
            // n = 4, score = 200
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   ffd6                 | call                esi
            //   6800400000           | push                0x4000

        $sequence_34 = { 2bf0 33c0 66890473 83ffff }
            // n = 4, score = 200
            //   2bf0                 | sub                 esi, eax
            //   33c0                 | xor                 eax, eax
            //   66890473             | mov                 word ptr [ebx + esi*2], ax
            //   83ffff               | cmp                 edi, -1

        $sequence_35 = { 0f85a2000000 8b01 6a00 ff75e4 8b4004 ff75dc 8b4c0838 }
            // n = 7, score = 100
            //   0f85a2000000         | jne                 0xa8
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   6a00                 | push                0
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   ff75dc               | push                dword ptr [ebp - 0x24]
            //   8b4c0838             | mov                 ecx, dword ptr [eax + ecx + 0x38]

        $sequence_36 = { 7d0a 8a80b0ea4300 8803 43 47 8b0e c6459f01 }
            // n = 7, score = 100
            //   7d0a                 | jge                 0xc
            //   8a80b0ea4300         | mov                 al, byte ptr [eax + 0x43eab0]
            //   8803                 | mov                 byte ptr [ebx], al
            //   43                   | inc                 ebx
            //   47                   | inc                 edi
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   c6459f01             | mov                 byte ptr [ebp - 0x61], 1

        $sequence_37 = { 7408 3a81206a4300 7542 8b07 8a10 }
            // n = 5, score = 100
            //   7408                 | je                  0xa
            //   3a81206a4300         | cmp                 al, byte ptr [ecx + 0x436a20]
            //   7542                 | jne                 0x44
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8a10                 | mov                 dl, byte ptr [eax]

    condition:
        7 of them and filesize < 7450624
}
Download all Yara Rules