Ryuk (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.ryuk (Back to overview)

Ryuk

Actor(s): FIN6, GRIM SPIDER, UNC1878, WIZARD SPIDER

Ryuk is a ransomware which encrypts its victim's files and asks for a ransom via bitcoin to release the original files. It is has been observed being used to attack companies or professional environments. Cybersecurity experts figured out that Ryuk and Hermes ransomware shares pieces of codes. Hermes is commodity ransomware that has been observed for sale on dark-net forums and used by multiple threat actors.

References

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader

2021-02-22 ⋅ YouTube ( Malware_Analyzing_&_RE_Tips_Tricks) ⋅ Jiří Vinopal
Ryuk Ransomware API Resolving in 10 minutes
Ryuk

2021-02-11 ⋅ CTI LEAGUE ⋅ CTI LEAGUE
CTIL Darknet Report – 2021
Conti Ransomware Mailto Maze REvil Ryuk

2021-02-04 ⋅ ClearSky ⋅ ClearSky Research Team
CONTI Modus Operandi and Bitcoin Tracking
Conti Ransomware Ryuk

2021-02-02 ⋅ CRONUP ⋅ CRONUP
De ataque con Malware a incidente de Ransomware
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader

2021-02-01 ⋅ Twitter (@IntelAdvanced) ⋅ Advanced Intelligence
Tweet on Active Directory Exploitation by RYUK "one" group
Ryuk

2021-01-31 ⋅ The DFIR Report ⋅ The DFIR Report
Bazar, No Ryuk?
BazarBackdoor Cobalt Strike Ryuk

2021-01-28 ⋅ Huntress Labs ⋅ John Hammond
Analyzing Ryuk Another Link in the Cyber Attack Chain
BazarBackdoor Ryuk

2021-01-25 ⋅ Twitter (@IntelAdvanced) ⋅ Advanced Intelligence
Tweet on Ryuk Ransomware group's post exploitation tactics including usage of Keethief tool
Ryuk

2021-01-07 ⋅ Advanced Intelligence ⋅ Vitali Kremez, Brian Carter, HYAS
Crime Laundering Primer: Inside Ryuk Crime (Crypto) Ledger & Risky Asian Crypto Traders
Ryuk

2020-12-28 ⋅ 0xC0DECAFE ⋅ Thomas Barabosch
Never upload ransomware samples to the Internet
Ryuk

2020-12-22 ⋅ TRUESEC ⋅ Mattias Wåhlén
Collaboration between FIN7 and the RYUK group, a Truesec Investigation
Carbanak Cobalt Strike Ryuk

2020-12-21 ⋅ IronNet ⋅ Adam Hlavek, Kimberly Ortiz
Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess

2020-12-16 ⋅ Accenture ⋅ Paul Mansfield
Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim Ransomware RagnarLocker REvil Ryuk SunCrypt

2020-12-10 ⋅ Cybereason ⋅ Joakim Kandefelt
Cybereason vs. Ryuk Ransomware
BazarBackdoor Ryuk TrickBot

2020-12-10 ⋅ CyberInt ⋅ CyberInt
Ryuk Crypto-Ransomware
Ryuk TrickBot

2020-12-10 ⋅ US-CERT ⋅ US-CERT, FBI, MS-ISAC
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim Ransomware REvil Ryuk Zeus

2020-12-09 ⋅ Cisco ⋅ David Liebenberg, Caitlin Huey
Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk

2020-11-20 ⋅ ZDNet ⋅ Catalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon Ransomware BazarBackdoor Buer Clop Cobalt Strike Conti Ransomware DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader

2020-11-19 ⋅ Threatpost ⋅ Elizabeth Montalbano
APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies
Quasar RAT Ryuk

2020-11-18 ⋅ DomainTools ⋅ Joe Slowik
Analyzing Network Infrastructure as Composite Objects
Ryuk

2020-11-16 ⋅ Intel 471 ⋅ Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Ransomware Clop Conti Ransomware DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX Ransomware

2020-11-14 ⋅ Medium 0xastrovax ⋅ astrovax
Deep Dive Into Ryuk Ransomware
Hermes Ryuk

2020-11-06 ⋅ Advanced Intelligence ⋅ Vitali Kremez
Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk

2020-11-05 ⋅ Twitter (@ffforward) ⋅ TheAnalyst
Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK
Cobalt Strike Ryuk Zloader

2020-11-05 ⋅ SCYTHE ⋅ Jorge Orchilles, Sean Lyngaas
#ThreatThursday - Ryuk
BazarBackdoor Ryuk

2020-11-05 ⋅ The DFIR Report ⋅ The DFIR Report
Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk

2020-11-05 ⋅ Github (scythe-io) ⋅ SCYTHE
Ryuk Adversary Emulation Plan
Ryuk

2020-11-04 ⋅ VMRay ⋅ Giovanni Vigna
Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot

2020-10-31 ⋅ splunk ⋅ Ryan Kovar
Ryuk and Splunk Detections
Ryuk

2020-10-30 ⋅ Github (ThreatConnect-Inc) ⋅ ThreatConnect
UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk

2020-10-30 ⋅ Cofense ⋅ The Cofense Intelligence Team
The Ryuk Threat: Why BazarBackdoor Matters Most
BazarBackdoor Ryuk

2020-10-29 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Hacking group is targeting US hospitals with Ryuk ransomware
Ryuk

2020-10-29 ⋅ Palo Alto Networks Unit 42 ⋅ Brittany Barbehenn, Doel Santos, Brad Duncan
Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
Anchor BazarBackdoor Ryuk TrickBot

2020-10-29 ⋅ Twitter (@anthomsec) ⋅ Andrew Thompson
Tweet on UNC1878 activity
BazarBackdoor Ryuk TrickBot UNC1878

2020-10-29 ⋅ CNN ⋅ Vivian Salama, Alex Marquardt, Lauren Mascarenhas
Several hospitals targeted in new wave of ransomware attacks
Ryuk

2020-10-29 ⋅ Twitter (@SophosLabs) ⋅ SophosLabs
Tweet on similarities between BUER in-memory loader & RYUK in-memory loader
Buer Ryuk

2020-10-29 ⋅ RiskIQ ⋅ RiskIQ
Ryuk Ransomware: Extensive Attack Infrastructure Revealed
Cobalt Strike Ryuk

2020-10-29 ⋅ Reuters ⋅ Christopher Bing, Joseph Menn
Building wave of ransomware attacks strike U.S. hospitals
Ryuk

2020-10-29 ⋅ McAfee ⋅ McAfee Labs
McAfee Labs Threat Advisory Ransom-Ryuk
Ryuk

2020-10-29 ⋅ Red Canary ⋅ The Red Canary Team
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Cobalt Strike Ryuk TrickBot

2020-10-28 ⋅ Youtube (SANS Institute) ⋅ Katie Nickels, Van Ta, Aaron Stephens
Spooky RYUKy: The Return of UNC1878 | SANS STAR Webcast
Ryuk UNC1878

2020-10-28 ⋅ CISA ⋅ CISA, FBI, HHS
AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
Anchor_DNS Anchor BazarBackdoor Ryuk

2020-10-28 ⋅ Youtube (SANS Digital Forensics and Incident Response) ⋅ Van Ta, Aaron Stephens, Katie Nickels
STAR Webcast: Spooky RYUKy: The Return of UNC1878
Ryuk

2020-10-28 ⋅ FireEye ⋅ Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878

2020-10-28 ⋅ Github (aaronst) ⋅ Aaron Stephens
UNC1878 indicators
Ryuk UNC1878

2020-10-28 ⋅ KrebsOnSecurity ⋅ Brian Krebs
FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals
Ryuk

2020-10-28 ⋅ SophosLabs Uncut ⋅ Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearny, Anand Ajjan, Brett Cove, Gabor Szappanos
Hacks for sale: inside the Buer Loader malware-as-a-service
Buer Ryuk Zloader

2020-10-27 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Steelcase furniture giant hit by Ryuk ransomware attack
Ryuk

2020-10-26 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
ThreatConnect Research Roundup: Ryuk and Domains Spoofing ESET and Microsoft
Ryuk

2020-10-22 ⋅ Bleeping Computer ⋅ Lawrence Abrams
French IT giant Sopra Steria hit by Ryuk ransomware
Ryuk

2020-10-22 ⋅ Sentinel LABS ⋅ Marco Figueroa
An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques
Ryuk

2020-10-20 ⋅ Bundesamt für Sicherheit in der Informationstechnik ⋅ BSI
Die Lage der IT-Sicherheit in Deutschland 2020
Clop Emotet REvil Ryuk TrickBot

2020-10-18 ⋅ The DFIR Report ⋅ The DFIR Report
Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk

2020-10-16 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team
WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ransomware Ryuk TrickBot

2020-10-16 ⋅ ThreatConnect ⋅ ThreatConnect Research Team
ThreatConnect Research Roundup: Possible Ryuk Infrastructure
Ryuk

2020-10-14 ⋅ Sophos ⋅ Sean Gallagher
They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC

2020-10-13 ⋅ VirusTotal ⋅ Gerardo Fernández, Vicente Diaz
Tracing fresh Ryuk campaigns itw
Ryuk

2020-10-12 ⋅ Symantec ⋅ Threat Hunter Team
Trickbot: U.S. Court Order Hits Botnet’s Infrastructure
Ryuk TrickBot

2020-10-12 ⋅ Microsoft ⋅ Tom Burt
New action to combat ransomware ahead of U.S. elections
Ryuk TrickBot

2020-10-12 ⋅ Advanced Intelligence ⋅ Roman Marshanski, Vitali Kremez
"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk

2020-10-08 ⋅ The DFIR Report ⋅ The DFIR Report
Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk

2020-10-02 ⋅ Health Sector Cybersecurity Coordination Center (HC3) ⋅ Health Sector Cybersecurity Coordination Center (HC3)
Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot

2020-09-24 ⋅ Kaspersky Labs ⋅ Kaspersky Lab ICS CERT
Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake Ransomware

2020-09-01 ⋅ Cisco Talos ⋅ David Liebenberg, Caitlin Huey
Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk

2020-08-20 ⋅ sensecy ⋅ cyberthreatinsider
Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities
Clop Maze REvil Ryuk

2020-08-18 ⋅ Arete ⋅ Arete Incident Response
Is Conti the New Ryuk?
Conti Ransomware Ryuk

2020-08 ⋅ Temple University ⋅ CARE
Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor

2020-06-23 ⋅ Bleeping Computer ⋅ Ionut Ilascu
Ryuk ransomware deployed two weeks after Trickbot infection
Ryuk

2020-06-15 ⋅ Cisco Talos ⋅ David Liebenberg, Caitlin Huey
Quarterly report: Incident Response trends in Summer 2020
Ryuk

2020-05-05 ⋅ N1ght-W0lf Blog ⋅ Abdallah Elshinbary
Deep Analysis of Ryuk Ransomware
Ryuk

2020-04-19 ⋅ SecurityLiterate ⋅ Kyle Cucci
Reversing Ryuk: A Technical Analysis of Ryuk Ransomware
Ryuk

2020-04-14 ⋅ Intel 471 ⋅ Intel 471
Understanding the relationship between Emotet, Ryuk and TrickBot
Emotet Ryuk TrickBot

2020-03-31 ⋅ FireEye ⋅ Van Ta, Aaron Stephens
It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit
Ryuk TrickBot UNC1878

2020-03-25 ⋅ Wilbur Security ⋅ JW
Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot

2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER

2020-03-04 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection
Ryuk TrickBot

2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom

2020-03-02 ⋅ c't ⋅ Christian Wölbert
Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen
Emotet Ryuk

2020-02-25 ⋅ RSA Conference ⋅ Joel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus

2020-02-13 ⋅ Quick Heal ⋅ Goutam Tripathy
A Deep Dive Into Wakeup On Lan (WoL) Implementation of Ryuk
Ryuk

2020-02-12 ⋅ VMWare Carbon Black ⋅ Rachel E. King, AC
Ryuk Ransomware Technical Analysis
Ryuk

2020-02-10 ⋅ Malwarebytes ⋅ Adam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor

2020-01-29 ⋅ ANSSI ⋅ ANSSI
État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam

2020-01-29 ⋅ ZDNet ⋅ Catalin Cimpanu
DOD contractor suffers ransomware infection
Ryuk

2020-01-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams
New Ryuk Info Stealer Targets Government and Military Secrets
Ryuk

2020-01-24 ⋅ ReversingLabs ⋅ Robert Simmons
Hunting for Ransomware
Ryuk

2020-01-17 ⋅ Secureworks ⋅ Tamada Kiyotaka, Keita Yamazaki, You Nakatsuru
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos Ransomware REvil Ryuk SamSam Scarab Ransomware

2020-01-14 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices
Ryuk

2020 ⋅ Secureworks ⋅ SecureWorks
GOLD ULRICK
Empire Downloader Ryuk TrickBot WIZARD SPIDER

2020 ⋅ Blackberry ⋅ Blackberry Research
State of Ransomware
Maze MedusaLocker Nefilim Ransomware Phobos Ransomware REvil Ryuk STOP Ransomware Zeppelin Ransomware

2019-12-26 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Ryuk Ransomware Stops Encrypting Linux Folders
Ryuk

2019-12-21 ⋅ Decrypt ⋅ Adriana Hamacher
How ransomware exploded in the age of Bitcoin
Ryuk

2019-12-19 ⋅ Malwarebytes ⋅ Jovi Umawing
Threat spotlight: the curious case of Ryuk ransomware
Ryuk

2019-12-15 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Ryuk Ransomware Likely Behind New Orleans Cyberattack
Ryuk

2019-12-09 ⋅ Emsisoft ⋅ EmsiSoft Malware Lab
Caution! Ryuk Ransomware decryptor damages larger files, even if you pay
Ryuk

2019-11-27 ⋅ Twitter (@Prosegur) ⋅ Prosegur
Tweet on Incident of Information Security
Ryuk

2019-11-06 ⋅ Heise Security ⋅ Thomas Hungenberg
Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot

2019-11 ⋅ CCN-CERT ⋅ CCN-CERT
Informe Código Dañino CCN-CERT ID-26/19
Ryuk

2019-11-01 ⋅ CrowdStrike ⋅ Alexander Hanel, Brett Stone-Gross
WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN
Ryuk WIZARD SPIDER

2019-05-09 ⋅ GovCERT.ch ⋅ GovCERT.ch
Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot

2019-04-05 ⋅ FireEye ⋅ Brendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson, Douglas Bienstock
Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
LockerGoga Ryuk FIN6

2019-04-02 ⋅ Cybereason ⋅ Noa Pinkas, Lior Rochberger, Matan Zatz
Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk
Ryuk TrickBot

2019-03-26 ⋅ ANSSI ⋅ ANSSI
INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK
Ryuk

2019-01-11 ⋅ FireEye ⋅ Kimberly Goody, Jeremy Kennelly, Jaideep Natu, Christopher Glyer
A Nasty Trick: From Credential Theft Malware to Business Disruption
Ryuk TrickBot GRIM SPIDER WIZARD SPIDER

2019-01-10 ⋅ CrowdStrike ⋅ Alexander Hanel
Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware
Ryuk GRIM SPIDER MUMMY SPIDER STARDUST CHOLLIMA WIZARD SPIDER

2019-01-09 ⋅ McAfee ⋅ John Fokker, Christiaan Beek
Ryuk Ransomware Attack: Rush to Attribution Misses the Point
Ryuk

2019 ⋅ Virus Bulletin ⋅ Gabriela Nicolao, Luciano Martins
Shinigami's Revenge: The Long Tail of Ryuk Malware
Ryuk

2018-12-29 ⋅ Los Angeles Times ⋅ Tony Barboza, Meg James, Emily Alpert Reyes
Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.
Ryuk

2018-08-20 ⋅ Check Point ⋅ Itay Cohen, Ben Herzog
Ryuk Ransomware: A Targeted Campaign Break-Down
Ryuk

Yara Rules

[TLP:WHITE] win_ryuk_auto (20201023 | autogenerated rule brought to you by yara-signator)

rule win_ryuk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 68???????? 6a01 6a00 6814010000 }
            // n = 4, score = 800
            //   68????????           |                     
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   6814010000           | push                0x114

        $sequence_1 = { ff15???????? b803000000 eb05 b805000000 }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   b803000000           | mov                 eax, 3
            //   eb05                 | jmp                 7
            //   b805000000           | mov                 eax, 5

        $sequence_2 = { e8???????? e8???????? b9e8030000 ff15???????? }
            // n = 4, score = 700
            //   e8????????           |                     
            //   e8????????           |                     
            //   b9e8030000           | mov                 ecx, 0x3e8
            //   ff15????????         |                     

        $sequence_3 = { 85c0 7508 6a01 ff15???????? 68???????? 6a01 }
            // n = 6, score = 700
            //   85c0                 | test                eax, eax
            //   7508                 | jne                 0xa
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   68????????           |                     
            //   6a01                 | push                1

        $sequence_4 = { 488bc3 4883c430 5b c3 48895c2408 48896c2410 4889742418 }
            // n = 7, score = 600
            //   488bc3               | push                edi
            //   4883c430             | dec                 eax
            //   5b                   | sub                 esp, 0x30
            //   c3                   | dec                 eax
            //   48895c2408           | add                 eax, 0x20
            //   48896c2410           | dec                 eax
            //   4889742418           | add                 esp, 0x28

        $sequence_5 = { 66f3ab 488b7c2408 498bc1 c3 4053 4883ec20 8bc1 }
            // n = 7, score = 600
            //   66f3ab               | inc                 ebp
            //   488b7c2408           | xor                 eax, eax
            //   498bc1               | rep stosd           dword ptr es:[edi], eax
            //   c3                   | dec                 eax
            //   4053                 | mov                 edi, dword ptr [esp + 8]
            //   4883ec20             | dec                 ecx
            //   8bc1                 | mov                 eax, ecx

        $sequence_6 = { ff7508 e8???????? 5e 5d c3 6a08 }
            // n = 6, score = 600
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   6a08                 | push                8

        $sequence_7 = { b809000000 e9???????? 4533c9 4533c0 }
            // n = 4, score = 600
            //   b809000000           | mov                 eax, 9
            //   e9????????           |                     
            //   4533c9               | inc                 ebp
            //   4533c0               | xor                 ecx, ecx

        $sequence_8 = { 0f9fc0 5d c3 8bff 55 8bec 8b4508 }
            // n = 7, score = 600
            //   0f9fc0               | setg                al
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_9 = { eb04 4883c020 4883c428 c3 48895c2408 57 4883ec30 }
            // n = 7, score = 600
            //   eb04                 | ret                 
            //   4883c020             | inc                 eax
            //   4883c428             | push                ebx
            //   c3                   | dec                 eax
            //   48895c2408           | sub                 esp, 0x20
            //   57                   | mov                 eax, ecx
            //   4883ec30             | jmp                 6

        $sequence_10 = { 8d7602 6685c9 75f1 5e 5d c3 8bff }
            // n = 7, score = 600
            //   8d7602               | lea                 esi, [esi + 2]
            //   6685c9               | test                cx, cx
            //   75f1                 | jne                 0xfffffff3
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi

        $sequence_11 = { 4889442420 4c8bc6 488bd3 488bcf }
            // n = 4, score = 500
            //   4889442420           | inc                 eax
            //   4c8bc6               | push                ebx
            //   488bd3               | dec                 eax
            //   488bcf               | add                 esp, 0x28

        $sequence_12 = { e9???????? 6a04 6800100000 6810270000 }
            // n = 4, score = 500
            //   e9????????           |                     
            //   6a04                 | push                4
            //   6800100000           | push                0x1000
            //   6810270000           | push                0x2710

        $sequence_13 = { 33c9 ba10270000 41b800100000 448d4904 ff15???????? }
            // n = 5, score = 500
            //   33c9                 | mov                 dword ptr [esp + 8], ebx
            //   ba10270000           | push                edi
            //   41b800100000         | dec                 eax
            //   448d4904             | sub                 esp, 0x30
            //   ff15????????         |                     

        $sequence_14 = { 2bc2 d1e8 03c2 c1e806 6bc05a }
            // n = 5, score = 500
            //   2bc2                 | dec                 eax
            //   d1e8                 | add                 esp, 0x28
            //   03c2                 | ret                 
            //   c1e806               | dec                 eax
            //   6bc05a               | mov                 dword ptr [esp + 8], ebx

        $sequence_15 = { 750a b804000000 e9???????? 4863d0 }
            // n = 4, score = 500
            //   750a                 | dec                 eax
            //   b804000000           | mov                 eax, ebx
            //   e9????????           |                     
            //   4863d0               | dec                 eax

        $sequence_16 = { 8905???????? e8???????? b988130000 8bd8 ff15???????? }
            // n = 5, score = 500
            //   8905????????         |                     
            //   e8????????           |                     
            //   b988130000           | ret                 
            //   8bd8                 | dec                 eax
            //   ff15????????         |                     

        $sequence_17 = { 8078ff48 751d 803845 7518 80780152 7512 8078024d }
            // n = 7, score = 500
            //   8078ff48             | push                8
            //   751d                 | push                esi
            //   803845               | push                edi
            //   7518                 | jne                 0x56
            //   80780152             | push                0x10
            //   7512                 | push                esi
            //   8078024d             | mov                 eax, 3

        $sequence_18 = { 7407 48 85c0 7ff0 }
            // n = 4, score = 500
            //   7407                 | je                  9
            //   48                   | dec                 eax
            //   85c0                 | test                eax, eax
            //   7ff0                 | jg                  0xfffffff2

        $sequence_19 = { 41b900300000 c744242040000000 448bc3 488bd6 488bcf }
            // n = 5, score = 500
            //   41b900300000         | jmp                 7
            //   c744242040000000     | mov                 eax, 5
            //   448bc3               | mov                 ecx, 0x3e8
            //   488bd6               | movzx               eax, cx
            //   488bcf               | dec                 ecx

        $sequence_20 = { 6a08 6a18 68???????? 68???????? 68???????? }
            // n = 5, score = 400
            //   6a08                 | push                8
            //   6a18                 | push                0x18
            //   68????????           |                     
            //   68????????           |                     
            //   68????????           |                     

        $sequence_21 = { 85c0 7407 b801000000 eb0b eb04 }
            // n = 5, score = 400
            //   85c0                 | xor                 eax, eax
            //   7407                 | xor                 edx, edx
            //   b801000000           | dec                 ecx
            //   eb0b                 | mov                 eax, ecx
            //   eb04                 | ret                 

        $sequence_22 = { 6a00 ff15???????? 6a00 6a02 6a03 6a00 6a00 }
            // n = 7, score = 400
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   6a03                 | push                3
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_23 = { ff15???????? b811000000 e9???????? e9???????? }
            // n = 4, score = 400
            //   ff15????????         |                     
            //   b811000000           | mov                 dword ptr [esp + 8], ebx
            //   e9????????           |                     
            //   e9????????           |                     

        $sequence_24 = { ff15???????? 85c0 751c 6a08 56 }
            // n = 5, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   751c                 | jne                 0x1e
            //   6a08                 | push                8
            //   56                   | push                esi

        $sequence_25 = { bf???????? bb???????? 56 7538 68???????? 57 53 }
            // n = 7, score = 400
            //   bf????????           |                     
            //   bb????????           |                     
            //   56                   | push                esi
            //   7538                 | jne                 0x3a
            //   68????????           |                     
            //   57                   | push                edi
            //   53                   | push                ebx

        $sequence_26 = { 57 53 ff15???????? 85c0 7554 }
            // n = 5, score = 400
            //   57                   | push                edi
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7554                 | jne                 0x56

        $sequence_27 = { 7568 6a28 56 68???????? 57 53 }
            // n = 6, score = 400
            //   7568                 | jne                 0x6a
            //   6a28                 | push                0x28
            //   56                   | push                esi
            //   68????????           |                     
            //   57                   | push                edi
            //   53                   | push                ebx

        $sequence_28 = { 52 ff15???????? a3???????? b832000000 6bc811 81c1???????? }
            // n = 6, score = 300
            //   52                   | add                 eax, edx
            //   ff15????????         |                     
            //   a3????????           |                     
            //   b832000000           | shr                 eax, 6
            //   6bc811               | imul                eax, eax, 0x5a
            //   81c1????????         |                     

        $sequence_29 = { 8955e4 8955e8 8955ec 8955f0 8955f4 668955f8 }
            // n = 6, score = 300
            //   8955e4               | sub                 eax, edx
            //   8955e8               | shr                 eax, 1
            //   8955ec               | add                 eax, edx
            //   8955f0               | shr                 eax, 6
            //   8955f4               | imul                eax, eax, 0x5a
            //   668955f8             | shr                 eax, 1

        $sequence_30 = { 6a0a c1e818 51 50 }
            // n = 4, score = 200
            //   6a0a                 | push                0xa
            //   c1e818               | shr                 eax, 0x18
            //   51                   | push                ecx
            //   50                   | push                eax

        $sequence_31 = { 8d0c49 c1e103 51 6a00 }
            // n = 4, score = 200
            //   8d0c49               | lea                 ecx, [ecx + ecx*2]
            //   c1e103               | shl                 ecx, 3
            //   51                   | push                ecx
            //   6a00                 | push                0

        $sequence_32 = { 6a00 ffd6 6800400000 6a40 }
            // n = 4, score = 200
            //   6a00                 | push                0
            //   ffd6                 | call                esi
            //   6800400000           | push                0x4000
            //   6a40                 | push                0x40

        $sequence_33 = { ff15???????? b80f000000 5f 5e }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   b80f000000           | mov                 eax, 0xf
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_34 = { 57 ff15???????? b80c000000 5f }
            // n = 4, score = 200
            //   57                   | push                edi
            //   ff15????????         |                     
            //   b80c000000           | mov                 eax, 0xc
            //   5f                   | pop                 edi

        $sequence_35 = { 2bf0 33c0 66890473 83ffff }
            // n = 4, score = 200
            //   2bf0                 | sub                 esi, eax
            //   33c0                 | xor                 eax, eax
            //   66890473             | mov                 word ptr [ebx + esi*2], ax
            //   83ffff               | cmp                 edi, -1

        $sequence_36 = { 1bd8 8b45fc 8b402c 2930 8b75fc 8b461c 0108 }
            // n = 7, score = 100
            //   1bd8                 | sbb                 ebx, eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b402c               | mov                 eax, dword ptr [eax + 0x2c]
            //   2930                 | sub                 dword ptr [eax], esi
            //   8b75fc               | mov                 esi, dword ptr [ebp - 4]
            //   8b461c               | mov                 eax, dword ptr [esi + 0x1c]
            //   0108                 | add                 dword ptr [eax], ecx

        $sequence_37 = { 8985c8f6ffff 0f8599fcffff 8b8db4f6ffff 85c9 0f84e2000000 8b3c8d84684300 85ff }
            // n = 7, score = 100
            //   8985c8f6ffff         | mov                 dword ptr [ebp - 0x938], eax
            //   0f8599fcffff         | jne                 0xfffffc9f
            //   8b8db4f6ffff         | mov                 ecx, dword ptr [ebp - 0x94c]
            //   85c9                 | test                ecx, ecx
            //   0f84e2000000         | je                  0xe8
            //   8b3c8d84684300       | mov                 edi, dword ptr [ecx*4 + 0x436884]
            //   85ff                 | test                edi, edi

    condition:
        7 of them and filesize < 7450624
}

Download all Yara Rules

Ryuk Propose Change

References

Yara Rules

Ryuk