SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ryuk (Back to overview)

Ryuk

Actor(s): FIN6, GRIM SPIDER, UNC1878, WIZARD SPIDER

VTCollection    

Ryuk is a ransomware which encrypts its victim's files and asks for a ransom via bitcoin to release the original files. It is has been observed being used to attack companies or professional environments. Cybersecurity experts figured out that Ryuk and Hermes ransomware shares pieces of codes. Hermes is commodity ransomware that has been observed for sale on dark-net forums and used by multiple threat actors.

References
2024-06-05S-RMDavid Broom, Gavin Hull
Exmatter malware levels up: S-RM observes new variant with simultaneous remote code execution and data targeting
BlackCat BlackMatter Conti ExMatter LockBit REvil Ryuk
2023-11-26Medium shaddy43Shayan Ahmed Khan
From Infection to Encryption: Tracing the Impact of RYUK Ransomware
Ryuk
2023-09-12ANSSIANSSI
FIN12: A Cybercriminal Group with Multiple Ransomware
BlackCat Cobalt Strike Conti Hive MimiKatz Nokoyawa Ransomware PLAY Royal Ransom Ryuk SystemBC
2023-07-27Bankinfo SecurityMathew J. Schwartz
Are Akira Ransomware's Crypto-Locking Malware Days Numbered?
Akira Ryuk
2022-12-06EuRepoCCamille Borrett, Kerstin Zettl-Schabath, Lena Rottinger
Conti/Wizard Spider
BazarBackdoor Cobalt Strike Conti Emotet IcedID Ryuk TrickBot WIZARD SPIDER
2022-09-13AdvIntelAdvanced Intelligence
AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022
Conti Cobalt Strike Emotet Ryuk TrickBot
2022-08-31FourcoreHardik Manocha
Ryuk Ransomware: History, Timeline, And Adversary Simulation
Ryuk
2022-08-22MicrosoftMicrosoft
Extortion Economics - Ransomware’s new business model
BlackCat Conti Hive REvil AgendaCrypt Black Basta BlackCat Brute Ratel C4 Cobalt Strike Conti Hive Mount Locker Nokoyawa Ransomware REvil Ryuk
2022-05-24The Hacker NewsFlorian Goutin
Malware Analysis: Trickbot
Cobalt Strike Conti Ryuk TrickBot
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-05Intel 471Intel 471
Cybercrime loves company: Conti cooperated with other ransomware gangs
LockBit Maze RagnarLocker Ryuk
2022-04-17BushidoToken BlogBushidoToken
Lessons from the Conti Leaks
BazarBackdoor Conti Emotet IcedID Ryuk TrickBot
2022-04-15Arctic WolfArctic Wolf
The Karakurt Web: Threat Intel and Blockchain Analysis Reveals Extension of Conti Business Model
Conti Diavol Ryuk TrickBot
2022-04-13MicrosoftMicrosoft 365 Defender Threat Intelligence Team
Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware
BlackMatter Cobalt Strike DarkSide Ryuk Zloader
2022-04-13MicrosoftAmy Hogan-Burney
Notorious cybercrime gang’s botnet disrupted
Ryuk Zloader
2022-04-06TRM LabsTRM Labs
TRM Analysis Corroborates Suspected Ties Between Conti and Ryuk Ransomware Groups and Wizard Spider
Conti Ryuk
2022-03-31TrellixJambul Tologonov, John Fokker
Conti Leaks: Examining the Panama Papers of Ransomware
LockBit Amadey Buer Conti IcedID LockBit Mailto Maze PhotoLoader Ryuk TrickBot
2022-03-23splunkShannon Davis
Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-03-02elDiarioCarlos del Castillo
Cybercrime bosses warn that they will "fight back" if Russia is hacked
Conti Ryuk
2022-03-02KrebsOnSecurityBrian Krebs
Conti Ransomware Group Diaries, Part II: The Office
Conti Emotet Ryuk TrickBot
2022-02-23splunkShannon Davis, SURGe
An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-01-19BlackberryThe BlackBerry Research & Intelligence Team
Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk
2021-11-18Medium 0xchinaHamad Alnakal
Malware reverse engineering (Ryuk Ransomware)
Ryuk
2021-10-22HUNT & HACKETTKrijn de Mik
Advanced IP Scanner: the preferred scanner in the A(P)T toolbox
Conti DarkSide Dharma Egregor Hades REvil Ryuk
2021-10-07MandiantAdam Brunner, Genevieve Stark, Jennifer Brooks, Jeremy Kennelly, Joshua Shilko, Kimberly Goody, Zach Riddle
FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets
BazarBackdoor GRIMAGENT Ryuk
2021-10-05Trend MicroByron Gelera, Fyodor Yarochkin, Janus Agcaoili, Nikko Tamana
Ransomware as a Service: Enabler of Widespread Attacks
Cerber Conti DarkSide Gandcrab Locky Nefilim REvil Ryuk
2021-09-16RiskIQRiskIQ
Untangling the Spider Web: The Curious Connection Between WIZARD SPIDER’s Ransomware Infrastructure and a Windows Zero-Day Exploit
Cobalt Strike Ryuk
2021-08-15SymantecThreat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-05KrebsOnSecurityBrian Krebs
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2021-07-07McAfeeMcAfee Labs
Ryuk Ransomware Now Targeting Webservers
Cobalt Strike Ryuk
2021-06-16ProofpointDaniel Blackford, Garrett M. Graff, Selena Larson
The First Step: Initial Access Leads to Ransomware
BazarBackdoor Egregor IcedID Maze QakBot REvil Ryuk TrickBot WastedLocker TA570 TA575 TA577
2021-06-09Twitter (@SecurityJoes)SecurityJoes
Tweet on .NET builder of a Ryuk imposter malware
Ryuk
2021-06-07Medium walmartglobaltechJason Reaves, Joshua Platt
Inside the SystemBC Malware-As-A-Service
Ryuk SystemBC TrickBot
2021-05-22Youtube (ACPEnw)YouTube (ACPEnw)
Lessons Learned from a Cyber Attack System Admin Perspective
Ryuk
2021-05-18The RecordCatalin Cimpanu
Darkside gang estimated to have made over $90 million from ransomware attacks
DarkSide DarkSide Mailto Maze REvil Ryuk
2021-05-18Bleeping ComputerIonut Ilascu
DarkSide ransomware made $90 million in just nine months
DarkSide DarkSide Egregor Gandcrab Mailto Maze REvil Ryuk
2021-05-06Cyborg SecurityBrandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-05-06Sophos LabsBill Kearney, Kyle Link, Matthew Sharf, Peter Mackenzie, Tilly Travers
MTR in Real Time: Pirates pave way for Ryuk ransomware
Ryuk
2021-04-26CoveWareCoveWare
Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound
Avaddon Clop Conti DarkSide Egregor LockBit Mailto Phobos REvil Ryuk SunCrypt
2021-04-17Advanced IntelligenceAl Calleo, Vitali Kremez, Yelisey Boguslavskiy
Adversary Dossier: Ryuk Ransomware Anatomy of an Attack in 2021
Ryuk
2021-04-07ANALYST1Jon DiMaggio
Ransom Mafia Analysis of the World's First Ransomware Cartel
Conti Egregor LockBit Maze RagnarLocker Ryuk SunCrypt TA2101 VIKING SPIDER
2021-03-21BlackberryBlackberry Research
2021 Threat Report
Bashlite FritzFrog IPStorm Mirai Tsunami elf.wellmess AppleJeus Dacls EvilQuest Manuscrypt Astaroth BazarBackdoor Cerber Cobalt Strike Emotet FinFisher RAT Kwampirs MimiKatz NjRAT Ryuk SmokeLoader TrickBot
2021-03-17Palo Alto Networks Unit 42Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2021-03-04NCC GroupOllie Whitehouse
Deception Engineering: exploring the use of Windows Service Canaries against ransomware
Ryuk
2021-03-01YouTube ( Malware_Analyzing_&_RE_Tips_Tricks)Jiří Vinopal
Ryuk Ransomware - Advanced using of Scylla for Imports reconstruction
Ryuk
2021-03-01CCN-CERTCCN-CERT
Informe Código DañinoCCN-CERT ID-03/21: RyukRansomware
Ryuk
2021-03-01Group-IBOleg Skulkin, Roman Rezvukhin, Semyon Rogachev
Ransomware Uncovered 2020/2021
RansomEXX BazarBackdoor Buer Clop Conti DoppelPaymer Dridex Egregor IcedID Maze PwndLocker QakBot RansomEXX REvil Ryuk SDBbot TrickBot Zloader
2021-02-28PWC UKPWC UK
Cyber Threats 2020: A Year in Retrospect
elf.wellmess FlowerPower PowGoop 8.t Dropper Agent.BTZ Agent Tesla Appleseed Ave Maria Bankshot BazarBackdoor BLINDINGCAN Chinoxy Conti Cotx RAT Crimson RAT DUSTMAN Emotet FriedEx FunnyDream Hakbit Mailto Maze METALJACK Nefilim Oblique RAT Pay2Key PlugX QakBot REvil Ryuk StoneDrill StrongPity SUNBURST SUPERNOVA TrickBot TurlaRPC Turla SilentMoon WastedLocker WellMess Winnti ZeroCleare APT10 APT23 APT27 APT31 APT41 BlackTech BRONZE EDGEWOOD Inception Framework MUSTANG PANDA Red Charon Red Nue Sea Turtle Tonto Team
2021-02-274rchibld4rchibld
Nice to meet you, too. My name is Ryuk.
Ryuk
2021-02-25ANSSICERT-FR
Ryuk Ransomware
BazarBackdoor Buer Conti Emotet Ryuk TrickBot
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-02-22YouTube ( Malware_Analyzing_&_RE_Tips_Tricks)Jiří Vinopal
Ryuk Ransomware API Resolving in 10 minutes
Ryuk
2021-02-16ProofpointProofpoint Threat Research Team
Q4 2020 Threat Report: A Quarterly Analysis of Cybersecurity Trends, Tactics and Themes
Emotet Ryuk NARWHAL SPIDER TA800
2021-02-11CTI LEAGUECTI LEAGUE
CTIL Darknet Report – 2021
Conti Mailto Maze REvil Ryuk
2021-02-04ClearSkyClearSky Research Team
CONTI Modus Operandi and Bitcoin Tracking
Conti Ryuk
2021-02-02CRONUPGermán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-02-01Twitter (@IntelAdvanced)Advanced Intelligence
Tweet on Active Directory Exploitation by RYUK "one" group
Ryuk
2021-01-31The DFIR ReportThe DFIR Report
Bazar, No Ryuk?
BazarBackdoor Cobalt Strike Ryuk
2021-01-28Huntress LabsJohn Hammond
Analyzing Ryuk Another Link in the Cyber Attack Chain
BazarBackdoor Ryuk
2021-01-25Twitter (@IntelAdvanced)Advanced Intelligence
Tweet on Ryuk Ransomware group's post exploitation tactics including usage of Keethief tool
Ryuk
2021-01-07Advanced IntelligenceBrian Carter, HYAS, Vitali Kremez
Crime Laundering Primer: Inside Ryuk Crime (Crypto) Ledger & Risky Asian Crypto Traders
Ryuk
2020-12-280xC0DECAFEThomas Barabosch
Never upload ransomware samples to the Internet
Ryuk
2020-12-22TRUESECMattias Wåhlén
Collaboration between FIN7 and the RYUK group, a Truesec Investigation
Carbanak Cobalt Strike Ryuk
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-12-16AccenturePaul Mansfield
Tracking and combatting an evolving danger: Ransomware extortion
DarkSide Egregor Maze Nefilim RagnarLocker REvil Ryuk SunCrypt
2020-12-10US-CERTFBI, MS-ISAC, US-CERT
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-12-10CyberIntCyberInt
Ryuk Crypto-Ransomware
Ryuk TrickBot
2020-12-10CybereasonJoakim Kandefelt
Cybereason vs. Ryuk Ransomware
BazarBackdoor Ryuk TrickBot
2020-12-09CiscoCaitlin Huey, David Liebenberg
Quarterly Report: Incident Response trends from Fall 2020
Cobalt Strike IcedID Maze RansomEXX Ryuk
2020-11-20ZDNetCatalin Cimpanu
The malware that usually installs ransomware and you need to remove right away
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DoppelPaymer Dridex Egregor Emotet FriedEx MegaCortex Phorpiex PwndLocker QakBot Ryuk SDBbot TrickBot Zloader
2020-11-19ThreatpostElizabeth Montalbano
APT Exploits Microsoft Zerologon Bug: Targets Japanese Companies
Quasar RAT Ryuk
2020-11-18DomainToolsJoe Slowik
Analyzing Network Infrastructure as Composite Objects
Ryuk
2020-11-16Intel 471Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-11-14Medium 0xastrovaxastrovax
Deep Dive Into Ryuk Ransomware
Hermes Ryuk
2020-11-06Advanced IntelligenceVitali Kremez
Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware "one" Group via Cobalt Strike
BazarBackdoor Cobalt Strike Ryuk
2020-11-05The DFIR ReportThe DFIR Report
Ryuk Speed Run, 2 Hours to Ransom
BazarBackdoor Cobalt Strike Ryuk
2020-11-05SCYTHEJorge Orchilles, Sean Lyngaas
#ThreatThursday - Ryuk
BazarBackdoor Ryuk
2020-11-05Twitter (@ffforward)TheAnalyst
Tweet on Zloader infection leads to Cobaltstrike Installation and deployment of RYUK
Cobalt Strike Ryuk Zloader
2020-11-05Github (scythe-io)SCYTHE
Ryuk Adversary Emulation Plan
Ryuk
2020-11-04VMRayGiovanni Vigna
Trick or Threat: Ryuk ransomware targets the health care industry
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-10-31splunkRyan Kovar
Ryuk and Splunk Detections
Ryuk
2020-10-30CofenseThe Cofense Intelligence Team
The Ryuk Threat: Why BazarBackdoor Matters Most
BazarBackdoor Ryuk
2020-10-30Github (ThreatConnect-Inc)ThreatConnect
UNC 1878 Indicators from Threatconnect
BazarBackdoor Cobalt Strike Ryuk
2020-10-29ReutersChristopher Bing, Joseph Menn
Building wave of ransomware attacks strike U.S. hospitals
Ryuk
2020-10-29Bleeping ComputerLawrence Abrams
Hacking group is targeting US hospitals with Ryuk ransomware
Ryuk
2020-10-29CNNAlex Marquardt, Lauren Mascarenhas, Vivian Salama
Several hospitals targeted in new wave of ransomware attacks
Ryuk
2020-10-29McAfeeMcAfee Labs
McAfee Labs Threat Advisory Ransom-Ryuk
Ryuk
2020-10-29Palo Alto Networks Unit 42Brad Duncan, Brittany Barbehenn, Doel Santos
Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
Anchor BazarBackdoor Ryuk TrickBot
2020-10-29Red CanaryThe Red Canary Team
A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
Cobalt Strike Ryuk TrickBot
2020-10-29Twitter (@SophosLabs)SophosLabs
Tweet on similarities between BUER in-memory loader & RYUK in-memory loader
Buer Ryuk
2020-10-29RiskIQRiskIQ
Ryuk Ransomware: Extensive Attack Infrastructure Revealed
Cobalt Strike Ryuk
2020-10-29Twitter (@anthomsec)Andrew Thompson
Tweet on UNC1878 activity
BazarBackdoor Ryuk TrickBot UNC1878
2020-10-28FireEyeDouglas Bienstock, Jeremy Kennelly, Joshua Shilko, Kimberly Goody, Steve Elovitz
Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
BazarBackdoor Cobalt Strike Ryuk UNC1878
2020-10-28SophosLabs UncutAnand Ajjan, Bill Kearny, Brett Cove, Elida Leite, Gabor Szappanos, Peter Mackenzie, Sean Gallagher, Syed Shahram
Hacks for sale: inside the Buer Loader malware-as-a-service
Buer Ryuk Zloader
2020-10-28CISACISA, FBI, HHS
AA20-302A: Ransomware Activity Targeting the Healthcare and Public Health Sector
AnchorDNS Anchor BazarBackdoor Ryuk
2020-10-28KrebsOnSecurityBrian Krebs
FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals
Ryuk
2020-10-28Youtube (SANS Digital Forensics and Incident Response)Aaron Stephens, Katie Nickels, Van Ta
STAR Webcast: Spooky RYUKy: The Return of UNC1878
Ryuk
2020-10-28Github (aaronst)Aaron Stephens
UNC1878 indicators
Ryuk UNC1878
2020-10-28Youtube (SANS Institute)Aaron Stephens, Katie Nickels, Van Ta
Spooky RYUKy: The Return of UNC1878 | SANS STAR Webcast
Ryuk UNC1878
2020-10-27Bleeping ComputerLawrence Abrams
Steelcase furniture giant hit by Ryuk ransomware attack
Ryuk
2020-10-26ThreatConnectThreatConnect Research Team
ThreatConnect Research Roundup: Ryuk and Domains Spoofing ESET and Microsoft
Ryuk
2020-10-22Sentinel LABSMarco Figueroa
An Inside Look at How Ryuk Evolved Its Encryption and Evasion Techniques
Ryuk
2020-10-22Bleeping ComputerLawrence Abrams
French IT giant Sopra Steria hit by Ryuk ransomware
Ryuk
2020-10-20Bundesamt für Sicherheit in der InformationstechnikBSI
Die Lage der IT-Sicherheit in Deutschland 2020
Clop Emotet REvil Ryuk TrickBot
2020-10-18The DFIR ReportThe DFIR Report
Ryuk in 5 Hours
BazarBackdoor Cobalt Strike Ryuk
2020-10-16CrowdStrikeThe Crowdstrike Intel Team
WIZARD SPIDER Update: Resilient, Reactive and Resolute
BazarBackdoor Conti Ryuk TrickBot
2020-10-16ThreatConnectThreatConnect Research Team
ThreatConnect Research Roundup: Possible Ryuk Infrastructure
Ryuk
2020-10-14SophosSean Gallagher
They’re back: inside a new Ryuk ransomware attack
Cobalt Strike Ryuk SystemBC
2020-10-13VirusTotalGerardo Fernández, Vicente Diaz
Tracing fresh Ryuk campaigns itw
Ryuk
2020-10-12MicrosoftTom Burt
New action to combat ransomware ahead of U.S. elections
Ryuk TrickBot
2020-10-12SymantecThreat Hunter Team
Trickbot: U.S. Court Order Hits Botnet’s Infrastructure
Ryuk TrickBot
2020-10-12Advanced IntelligenceRoman Marshanski, Vitali Kremez
"Front Door" into BazarBackdoor: Stealthy Cybercrime Weapon
BazarBackdoor Cobalt Strike Ryuk
2020-10-08The DFIR ReportThe DFIR Report
Ryuk’s Return
BazarBackdoor Cobalt Strike Ryuk
2020-10-02Health Sector Cybersecurity Coordination Center (HC3)Health Sector Cybersecurity Coordination Center (HC3)
Report 202010021600: Recent Bazarloader Use in Ransomware Campaigns
BazarBackdoor Cobalt Strike Ryuk TrickBot
2020-10-01KELAVictoria Kivilevich
To Attack or Not to Attack: Targeting the Healthcare Sector in the Underground Ecosystem
Conti DoppelPaymer Mailto Maze REvil Ryuk SunCrypt
2020-09-29PWC UKAndy Auld
What's behind the increase in ransomware attacks this year?
DarkSide Avaddon Clop Conti DoppelPaymer Dridex Emotet FriedEx Mailto PwndLocker QakBot REvil Ryuk SMAUG SunCrypt TrickBot WastedLocker
2020-09-24Kaspersky LabsKaspersky Lab ICS CERT
Threat landscape for industrial automation systems - H1 2020
Poet RAT Mailto Milum RagnarLocker REvil Ryuk Snake
2020-09-01Cisco TalosCaitlin Huey, David Liebenberg
Quarterly Report: Incident Response trends in Summer 2020
Cobalt Strike LockBit Mailto Maze Ryuk
2020-08-20sensecycyberthreatinsider
Global Ransomware Attacks in 2020: The Top 4 Vulnerabilities
Clop Maze REvil Ryuk
2020-08-18AreteArete Incident Response
Is Conti the New Ryuk?
Conti Ryuk
2020-08-01Temple UniversityCARE
Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-06-23Bleeping ComputerIonut Ilascu
Ryuk ransomware deployed two weeks after Trickbot infection
Ryuk
2020-06-15Cisco TalosCaitlin Huey, David Liebenberg
Quarterly report: Incident Response trends in Summer 2020
Ryuk
2020-05-05N1ght-W0lf BlogAbdallah Elshinbary
Deep Analysis of Ryuk Ransomware
Ryuk
2020-04-19SecurityLiterateKyle Cucci
Reversing Ryuk: A Technical Analysis of Ryuk Ransomware
Ryuk
2020-04-14Intel 471Intel 471
Understanding the relationship between Emotet, Ryuk and TrickBot
Emotet Ryuk TrickBot
2020-03-31FireEyeAaron Stephens, Van Ta
It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit
Ryuk TrickBot UNC1878
2020-03-25Wilbur SecurityJW
Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020-03-04Bleeping ComputerLawrence Abrams
Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection
Ryuk TrickBot
2020-03-04CrowdStrikeCrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2020-03-02c'tChristian Wölbert
Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen
Emotet Ryuk
2020-02-25RSA ConferenceJoel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-02-13Quick HealGoutam Tripathy
A Deep Dive Into Wakeup On Lan (WoL) Implementation of Ryuk
Ryuk
2020-02-12VMWare Carbon BlackAC, Rachel E. King
Ryuk Ransomware Technical Analysis
Ryuk
2020-02-10MalwarebytesAdam Kujawa, Chris Boyd, David Ruiz, Jérôme Segura, Jovi Umawing, Nathan Collier, Pieter Arntz, Thomas Reed, Wendy Zamora
2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-01-29ANSSIANSSI
État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-29ZDNetCatalin Cimpanu
DOD contractor suffers ransomware infection
Ryuk
2020-01-24ReversingLabsRobert Simmons
Hunting for Ransomware
Ryuk
2020-01-24Bleeping ComputerLawrence Abrams
New Ryuk Info Stealer Targets Government and Military Secrets
Ryuk
2020-01-17SecureworksKeita Yamazaki, Tamada Kiyotaka, You Nakatsuru
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2020-01-14Bleeping ComputerLawrence Abrams
Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices
Ryuk
2020-01-01SecureworksSecureWorks
GOLD ULRICK
Empire Downloader Ryuk TrickBot WIZARD SPIDER
2020-01-01BlackberryBlackberry Research
State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP
2019-12-26Bleeping ComputerLawrence Abrams
Ryuk Ransomware Stops Encrypting Linux Folders
Ryuk
2019-12-21DecryptAdriana Hamacher
How ransomware exploded in the age of Bitcoin
Ryuk
2019-12-19MalwarebytesJovi Umawing
Threat spotlight: the curious case of Ryuk ransomware
Ryuk
2019-12-15Bleeping ComputerLawrence Abrams
Ryuk Ransomware Likely Behind New Orleans Cyberattack
Ryuk
2019-12-09EmsisoftEmsiSoft Malware Lab
Caution! Ryuk Ransomware decryptor damages larger files, even if you pay
Ryuk
2019-11-27Twitter (@Prosegur)Prosegur
Tweet on Incident of Information Security
Ryuk
2019-11-06Heise SecurityThomas Hungenberg
Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot
2019-11-05Information AgeDavid Braue
Hospital cyberattack could have been avoided
Ryuk
2019-11-01CCN-CERTCCN-CERT
Informe Código Dañino CCN-CERT ID-26/19
Ryuk
2019-11-01CrowdStrikeAlexander Hanel, Brett Stone-Gross
WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN
Ryuk WIZARD SPIDER
2019-05-09GovCERT.chGovCERT.ch
Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot
2019-04-05FireEyeAlex Pennino, Andrew Thompson, Ben Fedore, Brendan McKeague, Douglas Bienstock, Geoff Ackerman, Van Ta
Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
LockerGoga Ryuk FIN6
2019-04-02CybereasonLior Rochberger, Matan Zatz, Noa Pinkas
Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk
Ryuk TrickBot
2019-03-26ANSSIANSSI
INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK
Ryuk
2019-01-11FireEyeChristopher Glyer, Jaideep Natu, Jeremy Kennelly, Kimberly Goody
A Nasty Trick: From Credential Theft Malware to Business Disruption
Ryuk TrickBot GRIM SPIDER WIZARD SPIDER
2019-01-10CrowdStrikeAlexander Hanel
Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware
Ryuk GRIM SPIDER MUMMY SPIDER STARDUST CHOLLIMA WIZARD SPIDER
2019-01-09McAfeeChristiaan Beek, John Fokker
Ryuk Ransomware Attack: Rush to Attribution Misses the Point
Ryuk
2019-01-01Virus BulletinGabriela Nicolao, Luciano Martins
Shinigami's Revenge: The Long Tail of Ryuk Malware
Ryuk
2018-12-29Los Angeles TimesEmily Alpert Reyes, Meg James, Tony Barboza
Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.
Ryuk
2018-08-20Check PointBen Herzog, Itay Cohen
Ryuk Ransomware: A Targeted Campaign Break-Down
Ryuk
Yara Rules
[TLP:WHITE] win_ryuk_auto (20241030 | Detects win.ryuk.)
rule win_ryuk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.ryuk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 68???????? 6a01 6a00 6814010000 }
            // n = 4, score = 2400
            //   68????????           |                     
            //   6a01                 | lea                 edi, [edx - 2]
            //   6a00                 | mov                 ax, word ptr [edi + 2]
            //   6814010000           | lea                 edi, [edi + 2]

        $sequence_1 = { 85c0 7508 6a01 ff15???????? 68???????? 6a01 }
            // n = 6, score = 2300
            //   85c0                 | test                ax, ax
            //   7508                 | jne                 3
            //   6a01                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   ff15????????         |                     
            //   68????????           |                     
            //   6a01                 | mov                 ecx, eax

        $sequence_2 = { 6a08 6a18 68???????? 68???????? 68???????? }
            // n = 5, score = 1900
            //   6a08                 | test                ax, ax
            //   6a18                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   68????????           |                     
            //   68????????           |                     
            //   68????????           |                     

        $sequence_3 = { 7578 6a10 6a18 68???????? }
            // n = 4, score = 1800
            //   7578                 | sub                 eax, edx
            //   6a10                 | shr                 eax, 1
            //   6a18                 | add                 eax, edx
            //   68????????           |                     

        $sequence_4 = { 66398818000035 753e 8b4508 b9???????? 2bc1 50 }
            // n = 6, score = 1800
            //   66398818000035       | dec                 eax
            //   753e                 | mov                 eax, ebx
            //   8b4508               | dec                 eax
            //   b9????????           |                     
            //   2bc1                 | add                 esp, 0x30
            //   50                   | pop                 ebx

        $sequence_5 = { 68???????? 68???????? 68???????? ff15???????? 85c0 7525 6a08 }
            // n = 7, score = 1800
            //   68????????           |                     
            //   68????????           |                     
            //   68????????           |                     
            //   ff15????????         |                     
            //   85c0                 | sub                 edx, esi
            //   7525                 | lea                 ebx, [edi + 2]
            //   6a08                 | mov                 ax, word ptr [edi + 2]

        $sequence_6 = { ff15???????? 85c0 7542 6a28 6a18 68???????? }
            // n = 6, score = 1800
            //   ff15????????         |                     
            //   85c0                 | shr                 eax, 6
            //   7542                 | imul                eax, eax, 0x5a
            //   6a28                 | sub                 eax, edx
            //   6a18                 | shr                 eax, 1
            //   68????????           |                     

        $sequence_7 = { ff15???????? 85c0 7578 6a10 }
            // n = 4, score = 1800
            //   ff15????????         |                     
            //   85c0                 | push                0x18
            //   7578                 | test                eax, eax
            //   6a10                 | jne                 0x27

        $sequence_8 = { 81b8????????50450000 754c b90b010000 66398818000035 753e 8b4508 }
            // n = 6, score = 1800
            //   81b8????????50450000     |     
            //   754c                 | ret                 
            //   b90b010000           | dec                 eax
            //   66398818000035       | mov                 dword ptr [esp + 8], ebx
            //   753e                 | push                edi
            //   8b4508               | dec                 eax

        $sequence_9 = { 68c0cf6a00 ff15???????? 6a01 ff15???????? }
            // n = 4, score = 1700
            //   68c0cf6a00           | push                1
            //   ff15????????         |                     
            //   6a01                 | push                1
            //   ff15????????         |                     

        $sequence_10 = { e8???????? 68e8030000 ff15???????? 68???????? e8???????? }
            // n = 5, score = 1400
            //   e8????????           |                     
            //   68e8030000           | ret                 
            //   ff15????????         |                     
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_11 = { 7407 b801000000 eb0b eb04 33c0 eb05 b801000000 }
            // n = 7, score = 1400
            //   7407                 | push                0x18
            //   b801000000           | test                eax, eax
            //   eb0b                 | jne                 0x44
            //   eb04                 | push                0x28
            //   33c0                 | push                0x18
            //   eb05                 | test                eax, eax
            //   b801000000           | jne                 0x7a

        $sequence_12 = { ba01000000 c1e200 8b45fc 880c10 b904000000 6bd103 817c15d8ff000000 }
            // n = 7, score = 1300
            //   ba01000000           | test                eax, eax
            //   c1e200               | jne                 0x46
            //   8b45fc               | push                0x28
            //   880c10               | push                0x18
            //   b904000000           | test                eax, eax
            //   6bd103               | jne                 0x7c
            //   817c15d8ff000000     | push                0x10

        $sequence_13 = { b804000000 c1e000 8b4c05d8 83c101 ba04000000 c1e200 894c15d8 }
            // n = 7, score = 1300
            //   b804000000           | test                eax, eax
            //   c1e000               | jne                 0x7c
            //   8b4c05d8             | push                0x10
            //   83c101               | push                0x18
            //   ba04000000           | test                eax, eax
            //   c1e200               | jne                 0x27
            //   894c15d8             | push                8

        $sequence_14 = { 2b4df4 394dfc 7312 ba01000000 }
            // n = 4, score = 1300
            //   2b4df4               | push                0x18
            //   394dfc               | jne                 0x27
            //   7312                 | push                8
            //   ba01000000           | push                0x18

        $sequence_15 = { ba01000000 8b4df0 d3e2 0b55f8 8955f8 ebd6 eb02 }
            // n = 7, score = 1300
            //   ba01000000           | jne                 0x7a
            //   8b4df0               | push                0x10
            //   d3e2                 | push                0x18
            //   0b55f8               | test                eax, eax
            //   8955f8               | jne                 0x46
            //   ebd6                 | push                0x28
            //   eb02                 | push                0x18

        $sequence_16 = { 0f870b020000 720c 8b459c 3b45f4 0f87fd010000 b904000000 c1e100 }
            // n = 7, score = 1300
            //   0f870b020000         | push                0x18
            //   720c                 | test                eax, eax
            //   8b459c               | jne                 0x46
            //   3b45f4               | push                0x28
            //   0f87fd010000         | test                eax, eax
            //   b904000000           | jne                 0x46
            //   c1e100               | push                0x28

        $sequence_17 = { 6bc203 8b4dfc c6040100 ba01000000 d1e2 8b45fc c6041000 }
            // n = 7, score = 1300
            //   6bc203               | push                0x18
            //   8b4dfc               | test                eax, eax
            //   c6040100             | jne                 0x4a
            //   ba01000000           | push                0x28
            //   d1e2                 | test                eax, eax
            //   8b45fc               | jne                 0x7c
            //   c6041000             | push                0x10

        $sequence_18 = { ff15???????? b811000000 e9???????? e9???????? }
            // n = 4, score = 1200
            //   ff15????????         |                     
            //   b811000000           | test                eax, eax
            //   e9????????           |                     
            //   e9????????           |                     

        $sequence_19 = { 7407 48 85c0 7ff0 }
            // n = 4, score = 900
            //   7407                 | dec                 ecx
            //   48                   | mov                 ebx, eax
            //   85c0                 | dec                 eax
            //   7ff0                 | mov                 eax, ebx

        $sequence_20 = { 6a00 6814010000 ff7508 ff35???????? ff15???????? }
            // n = 5, score = 900
            //   6a00                 | push                ebx
            //   6814010000           | dec                 eax
            //   ff7508               | sub                 esp, 0x20
            //   ff35????????         |                     
            //   ff15????????         |                     

        $sequence_21 = { ff35???????? ff15???????? 833d????????00 6a10 6a18 }
            // n = 5, score = 900
            //   ff35????????         |                     
            //   ff15????????         |                     
            //   833d????????00       |                     
            //   6a10                 | inc                 eax
            //   6a18                 | push                ebx

        $sequence_22 = { 751b ff35???????? ff35???????? 6a01 68???????? e8???????? 83c410 }
            // n = 7, score = 800
            //   751b                 | jne                 0x18
            //   ff35????????         |                     
            //   ff35????????         |                     
            //   6a01                 | cmp                 word ptr [edi + 2], 0x54
            //   68????????           |                     
            //   e8????????           |                     
            //   83c410               | jne                 0x18

        $sequence_23 = { ff15???????? b803000000 eb05 b805000000 }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   b803000000           | mov                 eax, 3
            //   eb05                 | jmp                 7
            //   b805000000           | mov                 eax, 5

        $sequence_24 = { 2bf0 33c0 66890473 83ffff }
            // n = 4, score = 800
            //   2bf0                 | cmp                 word ptr [edi + 2], 0x54
            //   33c0                 | jne                 0x18
            //   66890473             | cmp                 word ptr [edi + 6], 0x41
            //   83ffff               | jne                 0x18

        $sequence_25 = { 56 ff15???????? 8bcb 8d5102 }
            // n = 4, score = 700
            //   56                   | jne                 0x18
            //   ff15????????         |                     
            //   8bcb                 | cmp                 word ptr [edi + 2], 0x54
            //   8d5102               | jne                 0x18

        $sequence_26 = { e8???????? e8???????? b9e8030000 ff15???????? }
            // n = 4, score = 700
            //   e8????????           |                     
            //   e8????????           |                     
            //   b9e8030000           | mov                 ecx, 0x3e8
            //   ff15????????         |                     

        $sequence_27 = { 7714 7212 81f9d0070000 770a 85d2 }
            // n = 5, score = 700
            //   7714                 | jne                 0x40
            //   7212                 | mov                 eax, dword ptr [ebp + 8]
            //   81f9d0070000         | sub                 eax, ecx
            //   770a                 | push                eax
            //   85d2                 | jne                 0x4e

        $sequence_28 = { eb0b 8bc1 99 f7fe }
            // n = 4, score = 700
            //   eb0b                 | cmp                 word ptr [edi + 2], 0x54
            //   8bc1                 | jne                 0x18
            //   99                   | cmp                 word ptr [edi + 6], 0x41
            //   f7fe                 | jne                 0x18

        $sequence_29 = { 0f9fc0 5d c3 8bff 55 8bec 8b4508 }
            // n = 7, score = 600
            //   0f9fc0               | cmp                 word ptr [eax + 0x35000018], cx
            //   5d                   | jne                 0x40
            //   c3                   | mov                 eax, dword ptr [ebp + 8]
            //   8bff                 | jne                 0x4e
            //   55                   | mov                 ecx, 0x10b
            //   8bec                 | cmp                 word ptr [eax + 0x35000018], cx
            //   8b4508               | jne                 0x5f

        $sequence_30 = { 8d5f02 668b4702 83c702 6685c0 }
            // n = 4, score = 600
            //   8d5f02               | push                ebx
            //   668b4702             | mov                 ax, word ptr [edx]
            //   83c702               | add                 edx, 2
            //   6685c0               | test                ax, ax

        $sequence_31 = { 488bc3 4883c430 5b c3 48895c2408 48896c2410 }
            // n = 6, score = 600
            //   488bc3               | mov                 dword ptr [esp + 8], ebx
            //   4883c430             | push                edi
            //   5b                   | dec                 eax
            //   c3                   | sub                 esp, 0x30
            //   48895c2408           | and                 dword ptr [esp + 0x20], 0
            //   48896c2410           | mov                 ecx, 8

        $sequence_32 = { 53 d1fe e8???????? 83c408 8d5002 }
            // n = 5, score = 600
            //   53                   | shr                 eax, 1
            //   d1fe                 | add                 eax, edx
            //   e8????????           |                     
            //   83c408               | shr                 eax, 6
            //   8d5002               | mov                 eax, ecx

        $sequence_33 = { 6685c9 75f5 2bf2 68???????? 53 }
            // n = 5, score = 600
            //   6685c9               | xor                 eax, eax
            //   75f5                 | mov                 word ptr [ebx + esi*2], ax
            //   2bf2                 | cmp                 edi, -1
            //   68????????           |                     
            //   53                   | sar                 eax, 1

        $sequence_34 = { 8bc8 83e103 f3a4 8d7afe 668b4702 8d7f02 }
            // n = 6, score = 600
            //   8bc8                 | sub                 eax, edx
            //   83e103               | shr                 eax, 1
            //   f3a4                 | add                 eax, edx
            //   8d7afe               | shr                 eax, 6
            //   668b4702             | imul                eax, eax, 0x5a
            //   8d7f02               | mul                 ecx

        $sequence_35 = { 8d7f02 6685c0 75f4 a1???????? 8907 eb03 }
            // n = 6, score = 600
            //   8d7f02               | sub                 edx, esi
            //   6685c0               | sub                 esi, edx
            //   75f4                 | push                ebx
            //   a1????????           |                     
            //   8907                 | sar                 esi, 1
            //   eb03                 | add                 esp, 8

        $sequence_36 = { 83c202 6685c0 75f5 8d7bfe 2bd6 8d5f02 }
            // n = 6, score = 600
            //   83c202               | shr                 eax, 6
            //   6685c0               | imul                eax, eax, 0x5a
            //   75f5                 | mov                 eax, 0x6c16c16d
            //   8d7bfe               | mul                 ecx
            //   2bd6                 | mov                 eax, ecx
            //   8d5f02               | sub                 eax, edx

        $sequence_37 = { 498bc1 c3 4053 4883ec20 8bc1 498bd8 }
            // n = 6, score = 600
            //   498bc1               | dec                 eax
            //   c3                   | sub                 esp, 0x30
            //   4053                 | and                 dword ptr [esp + 0x20], 0
            //   4883ec20             | dec                 ecx
            //   8bc1                 | mov                 eax, ecx
            //   498bd8               | ret                 

        $sequence_38 = { 4883c428 c3 48895c2408 57 4883ec30 8364242000 }
            // n = 6, score = 600
            //   4883c428             | dec                 eax
            //   c3                   | add                 esp, 0x28
            //   48895c2408           | ret                 
            //   57                   | dec                 eax
            //   4883ec30             | mov                 dword ptr [esp + 8], ebx
            //   8364242000           | push                edi

        $sequence_39 = { ba00000040 ff15???????? 488bd8 ff15???????? 83f820 }
            // n = 5, score = 500
            //   ba00000040           | push                0x18
            //   ff15????????         |                     
            //   488bd8               | push                8
            //   ff15????????         |                     
            //   83f820               | push                0x18

        $sequence_40 = { ff15???????? 41b900800000 4533c0 488bd6 488bcf }
            // n = 5, score = 500
            //   ff15????????         |                     
            //   41b900800000         | dec                 ecx
            //   4533c0               | mov                 eax, ecx
            //   488bd6               | ret                 
            //   488bcf               | inc                 eax

        $sequence_41 = { 66837f0254 750f 66837f0641 7508 }
            // n = 4, score = 500
            //   66837f0254           | dec                 eax
            //   750f                 | sub                 esp, 0x20
            //   66837f0641           | mov                 eax, ecx
            //   7508                 | dec                 ecx

        $sequence_42 = { 66833f4e 7516 66837f0254 750f }
            // n = 4, score = 500
            //   66833f4e             | mov                 eax, ebx
            //   7516                 | dec                 eax
            //   66837f0254           | add                 esp, 0x30
            //   750f                 | pop                 ebx

        $sequence_43 = { 33c9 ba10270000 41b800100000 448d4904 ff15???????? }
            // n = 5, score = 500
            //   33c9                 | push                0x114
            //   ba10270000           | push                8
            //   41b800100000         | push                0x18
            //   448d4904             | push                8
            //   ff15????????         |                     

        $sequence_44 = { d1e8 03c2 c1e806 6bc05a }
            // n = 4, score = 500
            //   d1e8                 | mov                 dword ptr [esp + 8], ebx
            //   03c2                 | dec                 eax
            //   c1e806               | mov                 dword ptr [esp + 0x10], ebp
            //   6bc05a               | dec                 eax

        $sequence_45 = { e8???????? 99 2bc2 d1f8 85c0 }
            // n = 5, score = 500
            //   e8????????           |                     
            //   99                   | jne                 0x4e
            //   2bc2                 | mov                 ecx, 0x10b
            //   d1f8                 | cmp                 word ptr [eax + 0x35000018], cx
            //   85c0                 | jne                 0x4e

        $sequence_46 = { 33c9 ff15???????? 48897c2430 488d4c2440 c744242802000000 4533c9 }
            // n = 6, score = 500
            //   33c9                 | jne                 0x40
            //   ff15????????         |                     
            //   48897c2430           | mov                 eax, dword ptr [ebp + 8]
            //   488d4c2440           | mov                 ecx, 0x10b
            //   c744242802000000     | cmp                 word ptr [eax + 0x35000018], cx
            //   4533c9               | jne                 0x47

        $sequence_47 = { 8b5c3050 ff15???????? 41b900300000 c744242040000000 }
            // n = 4, score = 500
            //   8b5c3050             | and                 eax, 0x103
            //   ff15????????         |                     
            //   41b900300000         | pop                 ebp
            //   c744242040000000     | ret                 

        $sequence_48 = { ff15???????? 488bf8 4885c0 7410 ff15???????? 488bc8 }
            // n = 6, score = 500
            //   ff15????????         |                     
            //   488bf8               | mov                 eax, dword ptr [ebp + 8]
            //   4885c0               | sub                 eax, ecx
            //   7410                 | push                0x6acfc0
            //   ff15????????         |                     
            //   488bc8               | push                1

        $sequence_49 = { e8???????? 84c0 746c e8???????? 488d0d63080000 e8???????? e8???????? }
            // n = 7, score = 400
            //   e8????????           |                     
            //   84c0                 | jne                 0x7a
            //   746c                 | push                0x10
            //   e8????????           |                     
            //   488d0d63080000       | test                eax, eax
            //   e8????????           |                     
            //   e8????????           |                     

    condition:
        7 of them and filesize < 7450624
}
Download all Yara Rules