SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ryuk (Back to overview)

Ryuk

Actor(s): FIN6, GRIM SPIDER, WIZARD SPIDER

Ryuk is a ransomware which encrypts its victim's files and asks for a ransom via bitcoin to release the original files. It is has been observed being used to attack companies or professional environments. Cybersecurity experts figured out that Ryuk and Hermes ransomware shares pieces of codes. Hermes is commodity ransomware that has been observed for sale on dark-net forums and used by multiple threat actors.

References
2020-11-20ZDNetCatalin Cimpanu
@online{cimpanu:20201120:malware:0b8ff59, author = {Catalin Cimpanu}, title = {{The malware that usually installs ransomware and you need to remove right away}}, date = {2020-11-20}, organization = {ZDNet}, url = {https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/}, language = {English}, urldate = {2020-11-23} } The malware that usually installs ransomware and you need to remove right away
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-19ThreatpostElizabeth Montalbano
@online{montalbano:20201119:exploits:f40feb2, author = {Elizabeth Montalbano}, title = {{APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies}}, date = {2020-11-19}, organization = {Threatpost}, url = {https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/}, language = {English}, urldate = {2020-11-23} } APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies
Quasar RAT Ryuk
2020-11-18DomainToolsJoe Slowik
@online{slowik:20201118:analyzing:abccd43, author = {Joe Slowik}, title = {{Analyzing Network Infrastructure as Composite Objects}}, date = {2020-11-18}, organization = {DomainTools}, url = {https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects}, language = {English}, urldate = {2020-11-19} } Analyzing Network Infrastructure as Composite Objects
Ryuk
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Ransomware Clop Conti Ransomware DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX Ransomware
2020-11-06Advanced IntelligenceVitali Kremez
@online{kremez:20201106:anatomy:b2ce3ae, author = {Vitali Kremez}, title = {{Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike}}, date = {2020-11-06}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike}, language = {English}, urldate = {2020-11-09} } Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk
2020-11-05Twitter (@ffforward)TheAnalyst
@online{theanalyst:20201105:zloader:c4bab85, author = {TheAnalyst}, title = {{Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK}}, date = {2020-11-05}, organization = {Twitter (@ffforward)}, url = {https://twitter.com/ffforward/status/1324281530026524672}, language = {English}, urldate = {2020-11-09} } Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK
Cobalt Strike Ryuk Zloader
2020-11-05SCYTHEJorge Orchilles, Sean Lyngaas
@online{orchilles:20201105:threatthursday:a3297b9, author = {Jorge Orchilles and Sean Lyngaas}, title = {{#ThreatThursday - Ryuk}}, date = {2020-11-05}, organization = {SCYTHE}, url = {https://www.scythe.io/library/threatthursday-ryuk}, language = {English}, urldate = {2020-11-06} } #ThreatThursday - Ryuk
BazarBackdoor Ryuk
2020-11-05The DFIR ReportThe DFIR Report
@online{report:20201105:ryuk:ceaa823, author = {The DFIR Report}, title = {{Ryuk Speed Run, 2 Hours to Ransom}}, date = {2020-11-05}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/}, language = {English}, urldate = {2020-11-06} } Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk
2020-11-05Github (scythe-io)SCYTHE
@online{scythe:20201105:ryuk:8d7c4de, author = {SCYTHE}, title = {{Ryuk Adversary Emulation Plan}}, date = {2020-11-05}, organization = {Github (scythe-io)}, url = {https://github.com/scythe-io/community-threats/tree/master/Ryuk}, language = {English}, urldate = {2020-11-11} } Ryuk Adversary Emulation Plan
Ryuk
2020-11-04VMRayGiovanni Vigna
@online{vigna:20201104:trick:a59a333, author = {Giovanni Vigna}, title = {{Trick or Threat: Ryuk ransomware targets the health care industry}}, date = {2020-11-04}, organization = {VMRay}, url = {https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/}, language = {English}, urldate = {2020-11-06} } Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-10-31splunkRyan Kovar
@online{kovar:20201031:ryuk:735f563, author = {Ryan Kovar}, title = {{Ryuk and Splunk Detections}}, date = {2020-10-31}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/ryuk-and-splunk-detections.html}, language = {English}, urldate = {2020-11-02} } Ryuk and Splunk Detections
Ryuk
2020-10-30Github (ThreatConnect-Inc)ThreatConnect
@online{threatconnect:20201030:unc:b3ae3d0, author = {ThreatConnect}, title = {{UNC 1878 Indicators from Threatconnect}}, date = {2020-10-30}, organization = {Github (ThreatConnect-Inc)}, url = {https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv}, language = {English}, urldate = {2020-11-06} } UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk
2020-10-30CofenseThe Cofense Intelligence Team
@online{team:20201030:ryuk:9166a9a, author = {The Cofense Intelligence Team}, title = {{The Ryuk Threat: Why BazarBackdoor Matters Most}}, date = {2020-10-30}, organization = {Cofense}, url = {https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/}, language = {English}, urldate = {2020-11-02} } The Ryuk Threat: Why BazarBackdoor Matters Most
BazarBackdoor Ryuk
2020-10-29Bleeping ComputerLawrence Abrams
@online{abrams:20201029:hacking:c8d5379, author = {Lawrence Abrams}, title = {{Hacking group is targeting US hospitals with Ryuk ransomware}}, date = {2020-10-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/}, language = {English}, urldate = {2020-11-02} } Hacking group is targeting US hospitals with Ryuk ransomware
Ryuk
2020-10-29Palo Alto Networks Unit 42Brittany Barbehenn, Doel Santos, Brad Duncan
@online{barbehenn:20201029:threat:de33a6d, author = {Brittany Barbehenn and Doel Santos and Brad Duncan}, title = {{Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector}}, date = {2020-10-29}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/ryuk-ransomware/}, language = {English}, urldate = {2020-11-02} } Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
Anchor BazarBackdoor Ryuk TrickBot
2020-10-29Twitter (@anthomsec)Andrew Thompson
@online{thompson:20201029:unc1878:26c88d4, author = {Andrew Thompson}, title = {{Tweet on UNC1878 activity}}, date = {2020-10-29}, organization = {Twitter (@anthomsec)}, url = {https://twitter.com/anthomsec/status/1321865315513520128}, language = {English}, urldate = {2020-11-04} } Tweet on UNC1878 activity
BazarBackdoor Ryuk TrickBot UNC1878
2020-10-29CNNVivian Salama, Alex Marquardt, Lauren Mascarenhas
@online{salama:20201029:several:88d8127, author = {Vivian Salama and Alex Marquardt and Lauren Mascarenhas}, title = {{Several hospitals targeted in new wave of ransomware attacks}}, date = {2020-10-29}, organization = {CNN}, url = {https://edition.cnn.com/2020/10/28/politics/hospitals-targeted-ransomware-attacks/index.html}, language = {English}, urldate = {2020-11-02} } Several hospitals targeted in new wave of ransomware attacks
Ryuk
2020-10-29Twitter (@SophosLabs)SophosLabs
@online{sophoslabs:20201029:similarities:408a640, author = {SophosLabs}, title = {{Tweet on similarities between BUER in-memory loader & RYUK in-memory loader}}, date = {2020-10-29}, organization = {Twitter (@SophosLabs)}, url = {https://twitter.com/SophosLabs/status/1321844306970251265}, language = {English}, urldate = {2020-11-02} } Tweet on similarities between BUER in-memory loader & RYUK in-memory loader
Buer Ryuk
2020-10-29RiskIQRiskIQ
@online{riskiq:20201029:ryuk:0643968, author = {RiskIQ}, title = {{Ryuk Ransomware: Extensive Attack Infrastructure Revealed}}, date = {2020-10-29}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/0bcefe76}, language = {English}, urldate = {2020-11-02} } Ryuk Ransomware: Extensive Attack Infrastructure Revealed
Cobalt Strike Ryuk
2020-10-29ReutersChristopher Bing, Joseph Menn
@online{bing:20201029:building:ceeb50f, author = {Christopher Bing and Joseph Menn}, title = {{Building wave of ransomware attacks strike U.S. hospitals}}, date = {2020-10-29}, organization = {Reuters}, url = {https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP}, language = {English}, urldate = {2020-11-02} } Building wave of ransomware attacks strike U.S. hospitals
Ryuk
2020-10-29McAfeeMcAfee Labs
@techreport{labs:20201029:mcafee:84eed4e, author = {McAfee Labs}, title = {{McAfee Labs Threat Advisory Ransom-Ryuk}}, date = {2020-10-29}, institution = {McAfee}, url = {https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91844/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryukv6.pdf}, language = {English}, urldate = {2020-11-02} } McAfee Labs Threat Advisory Ransom-Ryuk
Ryuk
2020-10-29Red CanaryThe Red Canary Team
@online{team:20201029:bazar:1846b93, author = {The Red Canary Team}, title = {{A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak}}, date = {2020-10-29}, organization = {Red Canary}, url = {https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/}, language = {English}, urldate = {2020-11-02} } A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Cobalt Strike Ryuk TrickBot
2020-10-28Youtube (SANS Institute)Katie Nickels, Van Ta, Aaron Stephens
@online{nickels:20201028:spooky:3bf0a0a, author = {Katie Nickels and Van Ta and Aaron Stephens}, title = {{Spooky RYUKy: The Return of UNC1878 | SANS STAR Webcast}}, date = {2020-10-28}, organization = {Youtube (SANS Institute)}, url = {https://www.youtube.com/watch?v=CgDtm05qApE}, language = {English}, urldate = {2020-11-04} } Spooky RYUKy: The Return of UNC1878 | SANS STAR Webcast
Ryuk UNC1878
2020-10-28CISACISA, FBI, HHS
@techreport{cisa:20201028:aa20302a:80b6a06, author = {CISA and FBI and HHS}, title = {{AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector}}, date = {2020-10-28}, institution = {CISA}, url = {https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf}, language = {English}, urldate = {2020-11-02} } AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
Anchor_DNS Anchor BazarBackdoor Ryuk
2020-10-28Youtube (SANS Digital Forensics and Incident Response)Van Ta, Aaron Stephens, Katie Nickels
@online{ta:20201028:star:16965fb, author = {Van Ta and Aaron Stephens and Katie Nickels}, title = {{STAR Webcast: Spooky RYUKy: The Return of UNC1878}}, date = {2020-10-28}, organization = {Youtube (SANS Digital Forensics and Incident Response)}, url = {https://www.youtube.com/watch?v=BhjQ6zsCVSc}, language = {English}, urldate = {2020-11-02} } STAR Webcast: Spooky RYUKy: The Return of UNC1878
Ryuk
2020-10-28FireEyeKimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock
@online{goody:20201028:unhappy:c0d2e4b, author = {Kimberly Goody and Jeremy Kennelly and Joshua Shilko and Steve Elovitz and Douglas Bienstock}, title = {{Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser}}, date = {2020-10-28}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html}, language = {English}, urldate = {2020-11-02} } Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878
2020-10-28Github (aaronst)Aaron Stephens
@online{stephens:20201028:unc1878:5f717f6, author = {Aaron Stephens}, title = {{UNC1878 indicators}}, date = {2020-10-28}, organization = {Github (aaronst)}, url = {https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456}, language = {English}, urldate = {2020-11-04} } UNC1878 indicators
Ryuk UNC1878
2020-10-28KrebsOnSecurityBrian Krebs
@online{krebs:20201028:fbi:26b9480, author = {Brian Krebs}, title = {{FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals}}, date = {2020-10-28}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/}, language = {English}, urldate = {2020-11-02} } FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals
Ryuk
2020-10-28SophosLabs UncutSean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearny, Anand Ajjan, Brett Cove, Gabor Szappanos
@online{gallagher:20201028:hacks:8e1d051, author = {Sean Gallagher and Peter Mackenzie and Elida Leite and Syed Shahram and Bill Kearny and Anand Ajjan and Brett Cove and Gabor Szappanos}, title = {{Hacks for sale: inside the Buer Loader malware-as-a-service}}, date = {2020-10-28}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/}, language = {English}, urldate = {2020-11-02} } Hacks for sale: inside the Buer Loader malware-as-a-service
Buer Ryuk Zloader
2020-10-27Bleeping ComputerLawrence Abrams
@online{abrams:20201027:steelcase:25f66a9, author = {Lawrence Abrams}, title = {{Steelcase furniture giant hit by Ryuk ransomware attack}}, date = {2020-10-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/}, language = {English}, urldate = {2020-10-28} } Steelcase furniture giant hit by Ryuk ransomware attack
Ryuk
2020-10-26ThreatConnectThreatConnect Research Team
@online{team:20201026:threatconnect:0e90cc3, author = {ThreatConnect Research Team}, title = {{ThreatConnect Research Roundup: Ryuk and Domains Spoofing ESET and Microsoft}}, date = {2020-10-26}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/}, language = {English}, urldate = {2020-10-29} } ThreatConnect Research Roundup: Ryuk and Domains Spoofing ESET and Microsoft
Ryuk
2020-10-22Bleeping ComputerLawrence Abrams
@online{abrams:20201022:french:6d52e19, author = {Lawrence Abrams}, title = {{French IT giant Sopra Steria hit by Ryuk ransomware}}, date = {2020-10-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/}, language = {English}, urldate = {2020-10-26} } French IT giant Sopra Steria hit by Ryuk ransomware
Ryuk
2020-10-22Sentinel LABSMarco Figueroa
@online{figueroa:20201022:inside:228798e, author = {Marco Figueroa}, title = {{An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques}}, date = {2020-10-22}, organization = {Sentinel LABS}, url = {https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/}, language = {English}, urldate = {2020-10-26} } An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques
Ryuk
2020-10-20Bundesamt für Sicherheit in der InformationstechnikBSI
@online{bsi:20201020:die:0683ad4, author = {BSI}, title = {{Die Lage der IT-Sicherheit in Deutschland 2020}}, date = {2020-10-20}, organization = {Bundesamt für Sicherheit in der Informationstechnik}, url = {https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2}, language = {German}, urldate = {2020-10-21} } Die Lage der IT-Sicherheit in Deutschland 2020
Clop Emotet REvil Ryuk TrickBot
2020-10-18The DFIR ReportThe DFIR Report
@online{report:20201018:ryuk:fbaadb8, author = {The DFIR Report}, title = {{Ryuk in 5 Hours}}, date = {2020-10-18}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/}, language = {English}, urldate = {2020-10-19} } Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk
2020-10-16CrowdStrikeThe Crowdstrike Intel Team
@online{team:20201016:wizard:12b648a, author = {The Crowdstrike Intel Team}, title = {{WIZARD SPIDER Update: Resilient, Reactive and Resolute}}, date = {2020-10-16}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adversary-update/}, language = {English}, urldate = {2020-10-21} } WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ransomware Ryuk TrickBot
2020-10-16ThreatConnectThreatConnect Research Team
@online{team:20201016:threatconnect:2010d70, author = {ThreatConnect Research Team}, title = {{ThreatConnect Research Roundup: Possible Ryuk Infrastructure}}, date = {2020-10-16}, organization = {ThreatConnect}, url = {https://threatconnect.com/blog/threatconnect-research-roundup-possible-ryuk-infrastructure/}, language = {English}, urldate = {2020-10-23} } ThreatConnect Research Roundup: Possible Ryuk Infrastructure
Ryuk
2020-10-14SophosSean Gallagher
@online{gallagher:20201014:theyre:99f5d1e, author = {Sean Gallagher}, title = {{They’re back: inside a new Ryuk ransomware attack}}, date = {2020-10-14}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/}, language = {English}, urldate = {2020-10-16} } They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC
2020-10-13VirusTotalGerardo Fernández, Vicente Diaz
@online{fernndez:20201013:tracing:14bb6fa, author = {Gerardo Fernández and Vicente Diaz}, title = {{Tracing fresh Ryuk campaigns itw}}, date = {2020-10-13}, organization = {VirusTotal}, url = {https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html}, language = {English}, urldate = {2020-10-23} } Tracing fresh Ryuk campaigns itw
Ryuk
2020-10-12SymantecThreat Hunter Team
@online{team:20201012:trickbot:5c1e5bf, author = {Threat Hunter Team}, title = {{Trickbot: U.S. Court Order Hits Botnet’s Infrastructure}}, date = {2020-10-12}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption}, language = {English}, urldate = {2020-10-12} } Trickbot: U.S. Court Order Hits Botnet’s Infrastructure
Ryuk TrickBot
2020-10-12MicrosoftTom Burt
@online{burt:20201012:new:045c1c3, author = {Tom Burt}, title = {{New action to combat ransomware ahead of U.S. elections}}, date = {2020-10-12}, organization = {Microsoft}, url = {https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/}, language = {English}, urldate = {2020-10-12} } New action to combat ransomware ahead of U.S. elections
Ryuk TrickBot
2020-10-12Advanced IntelligenceRoman Marshanski, Vitali Kremez
@online{marshanski:20201012:front:686add1, author = {Roman Marshanski and Vitali Kremez}, title = {{"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon}}, date = {2020-10-12}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon}, language = {English}, urldate = {2020-10-13} } "Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk
2020-10-08The DFIR ReportThe DFIR Report
@online{report:20201008:ryuks:e47d8fa, author = {The DFIR Report}, title = {{Ryuk’s Return}}, date = {2020-10-08}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/10/08/ryuks-return/}, language = {English}, urldate = {2020-10-09} } Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk
2020-10-02Health Sector Cybersecurity Coordination Center (HC3)Health Sector Cybersecurity Coordination Center (HC3)
@techreport{hc3:20201002:report:0ca373f, author = {Health Sector Cybersecurity Coordination Center (HC3)}, title = {{Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns}}, date = {2020-10-02}, institution = {Health Sector Cybersecurity Coordination Center (HC3)}, url = {https://www.hhs.gov/sites/default/files/bazarloader.pdf}, language = {English}, urldate = {2020-11-02} } Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
@techreport{cert:20200924:threat:2d7986d, author = {Kaspersky Lab ICS CERT}, title = {{Threat landscape for industrial automation systems - H1 2020}}, date = {2020-09-24}, institution = {Kaspersky Labs}, url = {https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf}, language = {English}, urldate = {2020-10-04} } Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake Ransomware
2020-09-01Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200901:quarterly:c02962b, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly Report: Incident Response trends in Summer 2020}}, date = {2020-09-01}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html}, language = {English}, urldate = {2020-09-03} } Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-08-20sensecycyberthreatinsider
@online{cyberthreatinsider:20200820:global:34ee2ea, author = {cyberthreatinsider}, title = {{Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities}}, date = {2020-08-20}, organization = {sensecy}, url = {https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/}, language = {English}, urldate = {2020-11-04} } Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities
Clop Maze REvil Ryuk
2020-08-18AreteArete Incident Response
@techreport{response:20200818:is:72e08da, author = {Arete Incident Response}, title = {{Is Conti the New Ryuk?}}, date = {2020-08-18}, institution = {Arete}, url = {https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf}, language = {English}, urldate = {2020-08-25} } Is Conti the New Ryuk?
Conti Ransomware Ryuk
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-06-23Bleeping ComputerIonut Ilascu
@online{ilascu:20200623:ryuk:c63b0c6, author = {Ionut Ilascu}, title = {{Ryuk ransomware deployed two weeks after Trickbot infection}}, date = {2020-06-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/}, language = {English}, urldate = {2020-06-30} } Ryuk ransomware deployed two weeks after Trickbot infection
Ryuk
2020-06-15Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200615:quarterly:c2dcd77, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly report: Incident Response trends in Summer 2020}}, date = {2020-06-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more}, language = {English}, urldate = {2020-06-19} } Quarterly report: Incident Response trends in Summer 2020
Ryuk
2020-05-05N1ght-W0lf BlogAbdallah Elshinbary
@online{elshinbary:20200505:deep:f5661cb, author = {Abdallah Elshinbary}, title = {{Deep Analysis of Ryuk Ransomware}}, date = {2020-05-05}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/}, language = {English}, urldate = {2020-05-10} } Deep Analysis of Ryuk Ransomware
Ryuk
2020-04-19SecurityLiterateKyle Cucci
@online{cucci:20200419:reversing:4523233, author = {Kyle Cucci}, title = {{Reversing Ryuk: A Technical Analysis of Ryuk Ransomware}}, date = {2020-04-19}, organization = {SecurityLiterate}, url = {https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/}, language = {English}, urldate = {2020-08-13} } Reversing Ryuk: A Technical Analysis of Ryuk Ransomware
Ryuk
2020-04-14Intel 471Intel 471
@online{471:20200414:understanding:ca95961, author = {Intel 471}, title = {{Understanding the relationship between Emotet, Ryuk and TrickBot}}, date = {2020-04-14}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/}, language = {English}, urldate = {2020-04-26} } Understanding the relationship between Emotet, Ryuk and TrickBot
Emotet Ryuk TrickBot
2020-03-31FireEyeVan Ta, Aaron Stephens
@online{ta:20200331:its:632dfca, author = {Van Ta and Aaron Stephens}, title = {{It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit}}, date = {2020-03-31}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html}, language = {English}, urldate = {2020-04-06} } It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit
Ryuk TrickBot UNC1878
2020-03-25Wilbur SecurityJW
@online{jw:20200325:trickbot:17b0dc3, author = {JW}, title = {{Trickbot to Ryuk in Two Hours}}, date = {2020-03-25}, organization = {Wilbur Security}, url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/}, language = {English}, urldate = {2020-03-26} } Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-04Bleeping ComputerLawrence Abrams
@online{abrams:20200304:ryuk:31f2ce0, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection}}, date = {2020-03-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/}, language = {English}, urldate = {2020-03-09} } Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection
Ryuk TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-03-02c'tChristian Wölbert
@online{wlbert:20200302:was:1b9cc93, author = {Christian Wölbert}, title = {{Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen}}, date = {2020-03-02}, organization = {c't}, url = {https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html}, language = {German}, urldate = {2020-03-02} } Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen
Emotet Ryuk
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus
2020-02-12VMWare Carbon BlackRachel E. King, AC
@online{king:20200212:ryuk:720c14e, author = {Rachel E. King and AC}, title = {{Ryuk Ransomware Technical Analysis}}, date = {2020-02-12}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/blog/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis/}, language = {English}, urldate = {2020-11-19} } Ryuk Ransomware Technical Analysis
Ryuk
2020-02-10MalwarebytesAdam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
@techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } 2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-29ZDNetCatalin Cimpanu
@online{cimpanu:20200129:dod:57de65d, author = {Catalin Cimpanu}, title = {{DOD contractor suffers ransomware infection}}, date = {2020-01-29}, organization = {ZDNet}, url = {https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/}, language = {English}, urldate = {2020-02-03} } DOD contractor suffers ransomware infection
Ryuk
2020-01-24Bleeping ComputerLawrence Abrams
@online{abrams:20200124:new:05d5a6a, author = {Lawrence Abrams}, title = {{New Ryuk Info Stealer Targets Government and Military Secrets}}, date = {2020-01-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/}, language = {English}, urldate = {2020-02-03} } New Ryuk Info Stealer Targets Government and Military Secrets
Ryuk
2020-01-24ReversingLabsRobert Simmons
@online{simmons:20200124:hunting:f99f1f9, author = {Robert Simmons}, title = {{Hunting for Ransomware}}, date = {2020-01-24}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/hunting-for-ransomware}, language = {English}, urldate = {2020-01-29} } Hunting for Ransomware
Ryuk
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos Ransomware REvil Ryuk SamSam Scarab Ransomware
2020-01-14Bleeping ComputerLawrence Abrams
@online{abrams:20200114:ryuk:b2e47fa, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices}}, date = {2020-01-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/}, language = {English}, urldate = {2020-01-15} } Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices
Ryuk
2020SecureworksSecureWorks
@online{secureworks:2020:gold:d8faa3e, author = {SecureWorks}, title = {{GOLD ULRICK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-ulrick}, language = {English}, urldate = {2020-05-23} } GOLD ULRICK
Empire Downloader Ryuk TrickBot WIZARD SPIDER
2019-12-26Bleeping ComputerLawrence Abrams
@online{abrams:20191226:ryuk:acc2284, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Stops Encrypting Linux Folders}}, date = {2019-12-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/}, language = {English}, urldate = {2020-01-08} } Ryuk Ransomware Stops Encrypting Linux Folders
Ryuk
2019-12-21DecryptAdriana Hamacher
@online{hamacher:20191221:how:9d026a8, author = {Adriana Hamacher}, title = {{How ransomware exploded in the age of Bitcoin}}, date = {2019-12-21}, organization = {Decrypt}, url = {https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc}, language = {English}, urldate = {2020-01-13} } How ransomware exploded in the age of Bitcoin
Ryuk
2019-12-19MalwarebytesJovi Umawing
@online{umawing:20191219:threat:552a941, author = {Jovi Umawing}, title = {{Threat spotlight: the curious case of Ryuk ransomware}}, date = {2019-12-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/}, language = {English}, urldate = {2020-01-08} } Threat spotlight: the curious case of Ryuk ransomware
Ryuk
2019-12-15Bleeping ComputerLawrence Abrams
@online{abrams:20191215:ryuk:74f6eab, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Likely Behind New Orleans Cyberattack}}, date = {2019-12-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/}, language = {English}, urldate = {2020-01-13} } Ryuk Ransomware Likely Behind New Orleans Cyberattack
Ryuk
2019-12-09EmsisoftEmsiSoft Malware Lab
@online{lab:20191209:caution:05ff83a, author = {EmsiSoft Malware Lab}, title = {{Caution! Ryuk Ransomware decryptor damages larger files, even if you pay}}, date = {2019-12-09}, organization = {Emsisoft}, url = {https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/}, language = {English}, urldate = {2020-01-07} } Caution! Ryuk Ransomware decryptor damages larger files, even if you pay
Ryuk
2019-11-27Twitter (@Prosegur)Prosegur
@online{prosegur:20191127:incident:bd76c3f, author = {Prosegur}, title = {{Tweet on Incident of Information Security}}, date = {2019-11-27}, organization = {Twitter (@Prosegur)}, url = {https://twitter.com/Prosegur/status/1199732264386596864}, language = {English}, urldate = {2020-01-09} } Tweet on Incident of Information Security
Ryuk
2019-11-06Heise SecurityThomas Hungenberg
@online{hungenberg:20191106:emotet:1605954, author = {Thomas Hungenberg}, title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}}, date = {2019-11-06}, organization = {Heise Security}, url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html}, language = {German}, urldate = {2020-01-06} } Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot
2019-11CCN-CERTCCN-CERT
@online{ccncert:201911:informe:69b39b5, author = {CCN-CERT}, title = {{Informe Código Dañino CCN-CERT ID-26/19}}, date = {2019-11}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html}, language = {Espanyol}, urldate = {2020-01-10} } Informe Código Dañino CCN-CERT ID-26/19
Ryuk
2019-11-01CrowdStrikeAlexander Hanel, Brett Stone-Gross
@online{hanel:20191101:wizard:a34a09e, author = {Alexander Hanel and Brett Stone-Gross}, title = {{WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN}}, date = {2019-11-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/}, language = {English}, urldate = {2019-12-20} } WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN
Ryuk WIZARD SPIDER
2019-05-09GovCERT.chGovCERT.ch
@online{govcertch:20190509:severe:2767782, author = {GovCERT.ch}, title = {{Severe Ransomware Attacks Against Swiss SMEs}}, date = {2019-05-09}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes}, language = {English}, urldate = {2019-07-11} } Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot
2019-04-05FireEyeBrendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson, Douglas Bienstock
@online{mckeague:20190405:picksix:d101a59, author = {Brendan McKeague and Van Ta and Ben Fedore and Geoff Ackerman and Alex Pennino and Andrew Thompson and Douglas Bienstock}, title = {{Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware}}, date = {2019-04-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html}, language = {English}, urldate = {2019-12-20} } Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
LockerGoga Ryuk FIN6
2019-04-02CybereasonNoa Pinkas, Lior Rochberger, Matan Zatz
@online{pinkas:20190402:triple:10a3e37, author = {Noa Pinkas and Lior Rochberger and Matan Zatz}, title = {{Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk}}, date = {2019-04-02}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware}, language = {English}, urldate = {2020-01-09} } Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk
Ryuk TrickBot
2019-03-26ANSSIANSSI
@techreport{anssi:20190326:informations:7965c3d, author = {ANSSI}, title = {{INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK}}, date = {2019-03-26}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf}, language = {French}, urldate = {2020-01-10} } INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK
Ryuk
2019-01-11FireEyeKimberly Goody, Jeremy Kennelly, Jaideep Natu, Christopher Glyer
@online{goody:20190111:nasty:3c872d4, author = {Kimberly Goody and Jeremy Kennelly and Jaideep Natu and Christopher Glyer}, title = {{A Nasty Trick: From Credential Theft Malware to Business Disruption}}, date = {2019-01-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html}, language = {English}, urldate = {2019-12-20} } A Nasty Trick: From Credential Theft Malware to Business Disruption
Ryuk TrickBot GRIM SPIDER WIZARD SPIDER
2019-01-10CrowdStrikeAlexander Hanel
@online{hanel:20190110:big:7e10bdf, author = {Alexander Hanel}, title = {{Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware}}, date = {2019-01-10}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/}, language = {English}, urldate = {2019-12-20} } Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware
Ryuk GRIM SPIDER MUMMY SPIDER STARDUST CHOLLIMA WIZARD SPIDER
2019-01-09McAfeeJohn Fokker, Christiaan Beek
@online{fokker:20190109:ryuk:350f477, author = {John Fokker and Christiaan Beek}, title = {{Ryuk Ransomware Attack: Rush to Attribution Misses the Point}}, date = {2019-01-09}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/}, language = {English}, urldate = {2020-01-09} } Ryuk Ransomware Attack: Rush to Attribution Misses the Point
Ryuk
2019Virus BulletinGabriela Nicolao, Luciano Martins
@techreport{nicolao:2019:shinigamis:8397861, author = {Gabriela Nicolao and Luciano Martins}, title = {{Shinigami's Revenge: The Long Tail of Ryuk Malware}}, date = {2019}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf}, language = {English}, urldate = {2020-01-05} } Shinigami's Revenge: The Long Tail of Ryuk Malware
Ryuk
2018-12-29Los Angeles TimesTony Barboza, Meg James, Emily Alpert Reyes
@online{barboza:20181229:malware:d5d8d0d, author = {Tony Barboza and Meg James and Emily Alpert Reyes}, title = {{Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.}}, date = {2018-12-29}, organization = {Los Angeles Times}, url = {https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html}, language = {English}, urldate = {2020-01-10} } Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.
Ryuk
2018-08-20Check PointItay Cohen, Ben Herzog
@online{cohen:20180820:ryuk:5756495, author = {Itay Cohen and Ben Herzog}, title = {{Ryuk Ransomware: A Targeted Campaign Break-Down}}, date = {2018-08-20}, organization = {Check Point}, url = {https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/}, language = {English}, urldate = {2019-12-10} } Ryuk Ransomware: A Targeted Campaign Break-Down
Ryuk
Yara Rules
[TLP:WHITE] win_ryuk_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_ryuk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? e8???????? b9e8030000 ff15???????? }
            // n = 4, score = 700
            //   e8????????           |                     
            //   e8????????           |                     
            //   b9e8030000           | mov                 ecx, 0x3e8
            //   ff15????????         |                     

        $sequence_1 = { ff15???????? b803000000 eb05 b805000000 }
            // n = 4, score = 700
            //   ff15????????         |                     
            //   b803000000           | mov                 eax, 3
            //   eb05                 | jmp                 7
            //   b805000000           | mov                 eax, 5

        $sequence_2 = { 4983c8ff e8???????? 488bc3 4883c430 5b c3 48895c2408 }
            // n = 7, score = 600
            //   4983c8ff             | xor                 eax, eax
            //   e8????????           |                     
            //   488bc3               | xor                 edx, edx
            //   4883c430             | dec                 ecx
            //   5b                   | or                  eax, 0xffffffff
            //   c3                   | dec                 eax
            //   48895c2408           | mov                 eax, ebx

        $sequence_3 = { 488b7c2408 498bc1 c3 4053 4883ec20 8bc1 498bd8 }
            // n = 7, score = 600
            //   488b7c2408           | dec                 eax
            //   498bc1               | add                 esp, 0x30
            //   c3                   | pop                 ebx
            //   4053                 | ret                 
            //   4883ec20             | dec                 eax
            //   8bc1                 | mov                 dword ptr [esp + 8], ebx
            //   498bd8               | dec                 eax

        $sequence_4 = { b809000000 e9???????? 4533c9 4533c0 33d2 }
            // n = 5, score = 600
            //   b809000000           | mov                 eax, 9
            //   e9????????           |                     
            //   4533c9               | inc                 ebp
            //   4533c0               | xor                 ecx, ecx
            //   33d2                 | inc                 ebp

        $sequence_5 = { 68???????? 6a01 6a00 6814010000 }
            // n = 4, score = 600
            //   68????????           |                     
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   6814010000           | push                0x114

        $sequence_6 = { 4883c428 c3 48895c2408 57 4883ec30 8364242000 }
            // n = 6, score = 600
            //   4883c428             | mov                 edi, dword ptr [esp + 8]
            //   c3                   | dec                 ecx
            //   48895c2408           | mov                 eax, ecx
            //   57                   | ret                 
            //   4883ec30             | inc                 eax
            //   8364242000           | push                ebx

        $sequence_7 = { ff15???????? 85c0 7508 6a01 ff15???????? 68???????? 6a01 }
            // n = 7, score = 500
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7508                 | jne                 0xa
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   68????????           |                     
            //   6a01                 | push                1

        $sequence_8 = { 750c 80780345 7506 80780453 }
            // n = 4, score = 500
            //   750c                 | add                 esp, 0x28
            //   80780345             | ret                 
            //   7506                 | dec                 eax
            //   80780453             | mov                 dword ptr [esp + 8], ebx

        $sequence_9 = { 2bc2 d1e8 03c2 c1e806 6bc05a }
            // n = 5, score = 500
            //   2bc2                 | mov                 edi, dword ptr [esp + 8]
            //   d1e8                 | dec                 ecx
            //   03c2                 | mov                 eax, ecx
            //   c1e806               | ret                 
            //   6bc05a               | inc                 eax

        $sequence_10 = { 33c9 ff15???????? 48897c2430 488d4c2440 c744242802000000 4533c9 }
            // n = 6, score = 500
            //   33c9                 | push                esi
            //   ff15????????         |                     
            //   48897c2430           | push                esi
            //   488d4c2440           | push                0x8000
            //   c744242802000000     | mov                 ecx, 0x3e8
            //   4533c9               | mov                 eax, 3

        $sequence_11 = { 488d4c2440 c744242802000000 4533c9 4533c0 c744242002000000 ba000000c0 ff15???????? }
            // n = 7, score = 500
            //   488d4c2440           | pop                 ebp
            //   c744242802000000     | ret                 
            //   4533c9               | push                8
            //   4533c0               | ret                 4
            //   c744242002000000     | mov                 edi, edi
            //   ba000000c0           | push                ebp
            //   ff15????????         |                     

        $sequence_12 = { 33c9 ff15???????? 448b442468 33d2 }
            // n = 4, score = 500
            //   33c9                 | jmp                 7
            //   ff15????????         |                     
            //   448b442468           | mov                 eax, 5
            //   33d2                 | dec                 eax

        $sequence_13 = { 751d 803845 7518 80780152 7512 }
            // n = 5, score = 500
            //   751d                 | mov                 eax, 0xffff
            //   803845               | push                ebx
            //   7518                 | test                eax, eax
            //   80780152             | jne                 0x58
            //   7512                 | push                ebx

        $sequence_14 = { ff15???????? 83f820 7510 488bcb ff15???????? b802000000 }
            // n = 6, score = 500
            //   ff15????????         |                     
            //   83f820               | test                eax, eax
            //   7510                 | jne                 0x6c
            //   488bcb               | push                0x28
            //   ff15????????         |                     
            //   b802000000           | xor                 esi, esi

        $sequence_15 = { 7407 48 85c0 7ff0 }
            // n = 4, score = 400
            //   7407                 | je                  9
            //   48                   | dec                 eax
            //   85c0                 | test                eax, eax
            //   7ff0                 | jg                  0xfffffff2

        $sequence_16 = { 0f9fc0 5d c3 8bff 55 8bec 8b4508 }
            // n = 7, score = 400
            //   0f9fc0               | shr                 eax, 6
            //   5d                   | imul                eax, eax, 0x5a
            //   c3                   | shr                 eax, 1
            //   8bff                 | add                 eax, edx
            //   55                   | shr                 eax, 6
            //   8bec                 | imul                eax, eax, 0x5a
            //   8b4508               | mov                 eax, ecx

        $sequence_17 = { 746c e8???????? 488d0d63080000 e8???????? e8???????? 8bc8 }
            // n = 6, score = 400
            //   746c                 | or                  eax, 0xffffffff
            //   e8????????           |                     
            //   488d0d63080000       | dec                 eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   8bc8                 | mov                 eax, ebx

        $sequence_18 = { b901000000 8903 e8???????? 84c0 746c e8???????? 488d0d63080000 }
            // n = 7, score = 400
            //   b901000000           | dec                 eax
            //   8903                 | add                 eax, 0x20
            //   e8????????           |                     
            //   84c0                 | dec                 eax
            //   746c                 | add                 esp, 0x28
            //   e8????????           |                     
            //   488d0d63080000       | ret                 

        $sequence_19 = { ff750c ff7508 e8???????? 5e 5d c3 6a08 }
            // n = 7, score = 400
            //   ff750c               | dec                 ecx
            //   ff7508               | mov                 eax, ecx
            //   e8????????           |                     
            //   5e                   | ret                 
            //   5d                   | inc                 eax
            //   c3                   | push                ebx
            //   6a08                 | dec                 eax

        $sequence_20 = { e9???????? 6a04 6800100000 6810270000 }
            // n = 4, score = 400
            //   e9????????           |                     
            //   6a04                 | push                4
            //   6800100000           | push                0x1000
            //   6810270000           | push                0x2710

        $sequence_21 = { c20400 8bff 55 8bec b8ffff0000 83ec18 }
            // n = 6, score = 400
            //   c20400               | ret                 
            //   8bff                 | dec                 eax
            //   55                   | mov                 dword ptr [esp + 8], ebx
            //   8bec                 | dec                 eax
            //   b8ffff0000           | mov                 dword ptr [esp + 0x10], ebp
            //   83ec18               | ret                 

        $sequence_22 = { 8d7602 6685c9 75f1 5e 5d c3 8bff }
            // n = 7, score = 400
            //   8d7602               | mov                 dword ptr [esp + 8], ebx
            //   6685c9               | push                edi
            //   75f1                 | dec                 eax
            //   5e                   | sub                 esp, 0x30
            //   5d                   | sub                 eax, edx
            //   c3                   | shr                 eax, 1
            //   8bff                 | add                 eax, edx

        $sequence_23 = { 57 53 ff15???????? 85c0 7530 }
            // n = 5, score = 300
            //   57                   | push                edi
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7530                 | jne                 0x32

        $sequence_24 = { bb???????? 56 7538 68???????? }
            // n = 4, score = 300
            //   bb????????           |                     
            //   56                   | push                esi
            //   7538                 | jne                 0x3a
            //   68????????           |                     

        $sequence_25 = { 6a00 ff15???????? 6a00 6a02 6a03 6a00 }
            // n = 6, score = 300
            //   6a00                 | mul                 ecx
            //   ff15????????         |                     
            //   6a00                 | mov                 eax, ecx
            //   6a02                 | sub                 eax, edx
            //   6a03                 | shr                 eax, 1
            //   6a00                 | add                 eax, edx

        $sequence_26 = { 6a08 6a18 68???????? 68???????? 68???????? ff15???????? 85c0 }
            // n = 7, score = 300
            //   6a08                 | dec                 eax
            //   6a18                 | mov                 ebx, eax
            //   68????????           |                     
            //   68????????           |                     
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | cmp                 eax, 0x20

        $sequence_27 = { 85c0 7530 6a28 56 68???????? }
            // n = 5, score = 300
            //   85c0                 | test                eax, eax
            //   7530                 | jne                 0x32
            //   6a28                 | push                0x28
            //   56                   | push                esi
            //   68????????           |                     

        $sequence_28 = { ff15???????? 56 ff15???????? be14010000 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   56                   | push                esi
            //   ff15????????         |                     
            //   be14010000           | mov                 esi, 0x114

        $sequence_29 = { 6a0a c1e818 51 50 }
            // n = 4, score = 200
            //   6a0a                 | push                0xa
            //   c1e818               | shr                 eax, 0x18
            //   51                   | push                ecx
            //   50                   | push                eax

        $sequence_30 = { ff15???????? b809000000 5f 5e }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   b809000000           | mov                 eax, 9
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_31 = { 57 ff15???????? b80c000000 5f }
            // n = 4, score = 200
            //   57                   | push                edi
            //   ff15????????         |                     
            //   b80c000000           | mov                 eax, 0xc
            //   5f                   | pop                 edi

        $sequence_32 = { 8d0c49 c1e103 51 6a00 }
            // n = 4, score = 200
            //   8d0c49               | lea                 ecx, [ecx + ecx*2]
            //   c1e103               | shl                 ecx, 3
            //   51                   | push                ecx
            //   6a00                 | push                0

        $sequence_33 = { 2bf0 33c0 66890473 83ffff }
            // n = 4, score = 200
            //   2bf0                 | sub                 esi, eax
            //   33c0                 | xor                 eax, eax
            //   66890473             | mov                 word ptr [ebx + esi*2], ax
            //   83ffff               | cmp                 edi, -1

        $sequence_34 = { 83c001 8945b4 c745b000000000 8b4dd4 8b5110 }
            // n = 5, score = 200
            //   83c001               | ret                 4
            //   8945b4               | mov                 edi, edi
            //   c745b000000000       | push                ebp
            //   8b4dd4               | mov                 ebp, esp
            //   8b5110               | mov                 eax, 0xffff

        $sequence_35 = { 6a00 ffd6 6800400000 6a40 }
            // n = 4, score = 200
            //   6a00                 | push                0
            //   ffd6                 | call                esi
            //   6800400000           | push                0x4000
            //   6a40                 | push                0x40

        $sequence_36 = { eb03 50 6af6 ff15???????? 8b04bd884c4400 834c0318ff }
            // n = 6, score = 100
            //   eb03                 | jmp                 5
            //   50                   | push                eax
            //   6af6                 | push                -0xa
            //   ff15????????         |                     
            //   8b04bd884c4400       | mov                 eax, dword ptr [edi*4 + 0x444c88]
            //   834c0318ff           | or                  dword ptr [ebx + eax + 0x18], 0xffffffff

        $sequence_37 = { 6a0a 8bf8 ff15???????? 83feff 7508 3bfe }
            // n = 6, score = 100
            //   6a0a                 | push                0xa
            //   8bf8                 | mov                 edi, eax
            //   ff15????????         |                     
            //   83feff               | cmp                 esi, -1
            //   7508                 | jne                 0xa
            //   3bfe                 | cmp                 edi, esi

    condition:
        7 of them and filesize < 7450624
}
Download all Yara Rules