win.ryuk (Back to overview)

Ryuk

Actor(s): FIN6, GRIM SPIDER, WIZARD SPIDER

Ryuk is a ransomware which encrypts its victim's files and asks for a ransom via bitcoin to release the original files. It is has been observed being used to attack companies or professional environments. Cybersecurity experts figured out that Ryuk and Hermes ransomware shares pieces of codes. Hermes is commodity ransomware that has been observed for sale on dark-net forums and used by multiple threat actors.

References
https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
https://s3.eu-west-1.amazonaws.com/ncsc-content/files/RYUK%20Advisory%20draft%20CP%20June%202019.pdf
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/
https://twitter.com/Prosegur/status/1199732264386596864
https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf
https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/
https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware
https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html
https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes
https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html
https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html
https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf
Yara Rules
[TLP:WHITE] win_ryuk_auto (20190620 | autogenerated rule brought to you by yara-signator)
rule win_ryuk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-07-05"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.2a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk"
        malpedia_version = "20190620"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 4d85c0 74?? 4983e801 74?? }
            // n = 4, score = 600
            //   4d85c0               | ret                 
            //   74??                 |                     
            //   4983e801             | inc                 eax
            //   74??                 |                     

        $sequence_1 = { 4883c702 6685c0 74?? 4983e801 75?? 4d85c0 74?? }
            // n = 7, score = 600
            //   4883c702             | dec                 eax
            //   6685c0               | add                 edi, 2
            //   74??                 |                     
            //   4983e801             | test                ax, ax
            //   75??                 |                     
            //   4d85c0               | dec                 ecx
            //   74??                 |                     

        $sequence_2 = { 74?? 4983e801 75?? 4d85c0 }
            // n = 4, score = 600
            //   74??                 |                     
            //   4983e801             | mov                 eax, ecx
            //   75??                 |                     
            //   4d85c0               | dec                 ecx

        $sequence_3 = { 482bd7 0fb7043a 668907 4883c702 6685c0 }
            // n = 5, score = 600
            //   482bd7               | ret                 
            //   0fb7043a             | inc                 eax
            //   668907               | push                ebx
            //   4883c702             | dec                 eax
            //   6685c0               | sub                 esp, 0x20

        $sequence_4 = { c3 4053 4883ec20 8bc1 498bd8 }
            // n = 5, score = 600
            //   c3                   | push                ebx
            //   4053                 | dec                 ebp
            //   4883ec20             | test                eax, eax
            //   8bc1                 | dec                 ecx
            //   498bd8               | sub                 eax, 1

        $sequence_5 = { 66f3ab 488b7c2408 498bc1 c3 4053 }
            // n = 5, score = 600
            //   66f3ab               | rep stosd           dword ptr es:[edi], eax
            //   488b7c2408           | dec                 eax
            //   498bc1               | mov                 edi, dword ptr [esp + 8]
            //   c3                   | dec                 ecx
            //   4053                 | mov                 eax, ecx

        $sequence_6 = { 33c9 4d85c0 74?? 482bd7 }
            // n = 4, score = 600
            //   33c9                 | sub                 eax, 1
            //   4d85c0               | dec                 ebp
            //   74??                 |                     
            //   482bd7               | test                eax, eax

        $sequence_7 = { 4983e801 74?? 0fb7c1 498bc8 66f3ab 488b7c2408 }
            // n = 6, score = 600
            //   4983e801             | mov                 ebx, eax
            //   74??                 |                     
            //   0fb7c1               | dec                 eax
            //   498bc8               | sub                 edx, edi
            //   66f3ab               | movzx               eax, word ptr [edx + edi]
            //   488b7c2408           | mov                 word ptr [edi], ax

        $sequence_8 = { ff15???????? 66833f4e 75?? 66837f0254 }
            // n = 4, score = 500
            //   ff15????????         |                     
            //   66833f4e             | sub                 eax, 1
            //   75??                 |                     
            //   66837f0254           | dec                 ebp

        $sequence_9 = { ff15???????? 66833f4e 75?? 66837f0254 75?? }
            // n = 5, score = 500
            //   ff15????????         |                     
            //   66833f4e             | test                eax, eax
            //   75??                 |                     
            //   66837f0254           | xor                 ecx, ecx
            //   75??                 |                     

        $sequence_10 = { ff15???????? 66833f4e 75?? 66837f0254 75?? 66837f0641 }
            // n = 6, score = 500
            //   ff15????????         |                     
            //   66833f4e             | dec                 ecx
            //   75??                 |                     
            //   66837f0254           | sub                 eax, 1
            //   75??                 |                     
            //   66837f0641           | movzx               eax, cx

        $sequence_11 = { 75?? 85c9 74?? 85c9 }
            // n = 4, score = 500
            //   75??                 |                     
            //   85c9                 | dec                 ecx
            //   74??                 |                     
            //   85c9                 | mov                 ecx, eax

        $sequence_12 = { 66833f4e 75?? 66837f0254 75?? 66837f0641 75?? }
            // n = 6, score = 500
            //   66833f4e             | add                 edi, 2
            //   75??                 |                     
            //   66837f0254           | test                ax, ax
            //   75??                 |                     
            //   66837f0641           | dec                 ecx
            //   75??                 |                     

        $sequence_13 = { ff15???????? 66833f4e 75?? 66837f0254 75?? 66837f0641 75?? }
            // n = 7, score = 500
            //   ff15????????         |                     
            //   66833f4e             | dec                 ebp
            //   75??                 |                     
            //   66837f0254           | test                eax, eax
            //   75??                 |                     
            //   66837f0641           | dec                 eax
            //   75??                 |                     

        $sequence_14 = { 66833f4e 75?? 66837f0254 75?? }
            // n = 4, score = 500
            //   66833f4e             | mov                 edi, dword ptr [esp + 8]
            //   75??                 |                     
            //   66837f0254           | dec                 eax
            //   75??                 |                     

        $sequence_15 = { 75?? 66837f0254 75?? 66837f0641 }
            // n = 4, score = 500
            //   75??                 |                     
            //   66837f0254           | rep stosd           dword ptr es:[edi], eax
            //   75??                 |                     
            //   66837f0641           | dec                 eax

        $sequence_16 = { ff15???????? b807000000 5f 5e }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   b807000000           | xor                 eax, eax
            //   5f                   | mov                 word ptr [ebx + esi*2], ax
            //   5e                   | cmp                 edi, -1

        $sequence_17 = { 8d0c49 c1e103 51 6a00 }
            // n = 4, score = 200
            //   8d0c49               | cmp                 word ptr [edi], 0x4e
            //   c1e103               | cmp                 word ptr [edi + 2], 0x54
            //   51                   | cmp                 word ptr [edi], 0x4e
            //   6a00                 | cmp                 word ptr [edi + 2], 0x54

        $sequence_18 = { 50 e8???????? 50 57 6800000030 }
            // n = 5, score = 200
            //   50                   | mov                 eax, 9
            //   e8????????           |                     
            //   50                   | pop                 edi
            //   57                   | pop                 esi
            //   6800000030           | xor                 eax, eax

        $sequence_19 = { 85f6 75?? ff05???????? 6896000000 ff15???????? }
            // n = 5, score = 200
            //   85f6                 | pop                 esi
            //   75??                 |                     
            //   ff05????????         |                     
            //   6896000000           | push                eax
            //   ff15????????         |                     

        $sequence_20 = { 75?? 6a02 ff15???????? 8d45fc 50 }
            // n = 5, score = 200
            //   75??                 |                     
            //   6a02                 | mov                 eax, 0x16
            //   ff15????????         |                     
            //   8d45fc               | pop                 edi
            //   50                   | pop                 esi

        $sequence_21 = { 33c0 66890473 83ffff 0f8????????? }
            // n = 4, score = 200
            //   33c0                 | cmp                 word ptr [edi], 0x4e
            //   66890473             | cmp                 word ptr [edi + 2], 0x54
            //   83ffff               | cmp                 word ptr [edi + 6], 0x41
            //   0f8?????????         |                     

        $sequence_22 = { 0f8????????? e9???????? 6a04 6800100000 }
            // n = 4, score = 200
            //   0f8?????????         |                     
            //   e9????????           |                     
            //   6a04                 | mov                 eax, 7
            //   6800100000           | pop                 edi

        $sequence_23 = { 6800000030 e8???????? 83c404 85c0 74?? 8b4508 }
            // n = 6, score = 200
            //   6800000030           | push                edi
            //   e8????????           |                     
            //   83c404               | mov                 eax, 0xc
            //   85c0                 | pop                 edi
            //   74??                 |                     
            //   8b4508               | pop                 esi

        $sequence_24 = { 83f80f 77?? 72?? 81fafe494d22 77?? }
            // n = 5, score = 200
            //   83f80f               | push                ecx
            //   77??                 |                     
            //   72??                 |                     
            //   81fafe494d22         | push                0
            //   77??                 |                     

        $sequence_25 = { ff15???????? b808000000 5f 5e }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   b808000000           | sub                 edx, edi
            //   5f                   | cmp                 word ptr [edi], 0x4e
            //   5e                   | cmp                 word ptr [edi + 2], 0x54

        $sequence_26 = { ff15???????? b816000000 5f 5e }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   b816000000           | cmp                 word ptr [edi], 0x4e
            //   5f                   | cmp                 word ptr [edi + 2], 0x54
            //   5e                   | cmp                 word ptr [edi + 6], 0x41

        $sequence_27 = { ff15???????? b809000000 5f 5e }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   b809000000           | cmp                 word ptr [edi + 6], 0x41
            //   5f                   | cmp                 word ptr [edi], 0x4e
            //   5e                   | cmp                 word ptr [edi + 2], 0x54

        $sequence_28 = { 2bf0 33c0 66890473 83ffff }
            // n = 4, score = 200
            //   2bf0                 | cmp                 word ptr [edi + 6], 0x41
            //   33c0                 | test                ecx, ecx
            //   66890473             | test                ecx, ecx
            //   83ffff               | cmp                 word ptr [edi + 2], 0x54

        $sequence_29 = { 66398818000030 75?? 8b4508 b900000030 2bc1 }
            // n = 5, score = 200
            //   66398818000030       | mov                 word ptr [ebx + esi*2], ax
            //   75??                 |                     
            //   8b4508               | cmp                 edi, -1
            //   b900000030           | lea                 ecx, [ecx + ecx*2]
            //   2bc1                 | shl                 ecx, 3

        $sequence_30 = { 6800000030 e8???????? 83c404 85c0 74?? }
            // n = 5, score = 200
            //   6800000030           | push                eax
            //   e8????????           |                     
            //   83c404               | push                edi
            //   85c0                 | push                0x30000000
            //   74??                 |                     

        $sequence_31 = { 57 ff15???????? b80c000000 5f 5e }
            // n = 5, score = 200
            //   57                   | mov                 eax, 8
            //   ff15????????         |                     
            //   b80c000000           | pop                 edi
            //   5f                   | pop                 esi
            //   5e                   | sub                 esi, eax

    condition:
        7 of them
}
Download all Yara Rules