SYMBOLCOMMON_NAMEaka. SYNONYMS
win.ryuk (Back to overview)

Ryuk

Actor(s): FIN6, GRIM SPIDER, WIZARD SPIDER

Ryuk is a ransomware which encrypts its victim's files and asks for a ransom via bitcoin to release the original files. It is has been observed being used to attack companies or professional environments. Cybersecurity experts figured out that Ryuk and Hermes ransomware shares pieces of codes. Hermes is commodity ransomware that has been observed for sale on dark-net forums and used by multiple threat actors.

References
2020-06-23Bleeping ComputerIonut Ilascu
@online{ilascu:20200623:ryuk:c63b0c6, author = {Ionut Ilascu}, title = {{Ryuk ransomware deployed two weeks after Trickbot infection}}, date = {2020-06-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/}, language = {English}, urldate = {2020-06-30} } Ryuk ransomware deployed two weeks after Trickbot infection
Ryuk
2020-06-15Cisco TalosDavid Liebenberg, Caitlin Huey
@online{liebenberg:20200615:quarterly:c2dcd77, author = {David Liebenberg and Caitlin Huey}, title = {{Quarterly report: Incident Response trends in Summer 2020}}, date = {2020-06-15}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more}, language = {English}, urldate = {2020-06-19} } Quarterly report: Incident Response trends in Summer 2020
Ryuk
2020-05-05N1ght-W0lf BlogAbdallah Elshinbary
@online{elshinbary:20200505:deep:f5661cb, author = {Abdallah Elshinbary}, title = {{Deep Analysis of Ryuk Ransomware}}, date = {2020-05-05}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/}, language = {English}, urldate = {2020-05-10} } Deep Analysis of Ryuk Ransomware
Ryuk
2020-04-19SecurityLiterateD4rksystem
@online{d4rksystem:20200419:reversing:4523233, author = {D4rksystem}, title = {{Reversing Ryuk: A Technical Analysis of Ryuk Ransomware}}, date = {2020-04-19}, organization = {SecurityLiterate}, url = {https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/}, language = {English}, urldate = {2020-04-20} } Reversing Ryuk: A Technical Analysis of Ryuk Ransomware
Ryuk
2020-04-14Intel 471Intel 471
@online{471:20200414:understanding:ca95961, author = {Intel 471}, title = {{Understanding the relationship between Emotet, Ryuk and TrickBot}}, date = {2020-04-14}, organization = {Intel 471}, url = {https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/}, language = {English}, urldate = {2020-04-26} } Understanding the relationship between Emotet, Ryuk and TrickBot
Emotet Ryuk TrickBot
2020-03-31FireEyeVan Ta, Aaron Stephens
@online{ta:20200331:its:632dfca, author = {Van Ta and Aaron Stephens}, title = {{It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit}}, date = {2020-03-31}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html}, language = {English}, urldate = {2020-04-06} } It’s Your Money and They Want It Now - The Cycle of Adversary Pursuit
Ryuk TrickBot
2020-03-25Wilbur SecurityJW
@online{jw:20200325:trickbot:17b0dc3, author = {JW}, title = {{Trickbot to Ryuk in Two Hours}}, date = {2020-03-25}, organization = {Wilbur Security}, url = {https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/}, language = {English}, urldate = {2020-03-26} } Trickbot to Ryuk in Two Hours
Cobalt Strike Ryuk TrickBot
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-03-04Bleeping ComputerLawrence Abrams
@online{abrams:20200304:ryuk:31f2ce0, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection}}, date = {2020-03-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/}, language = {English}, urldate = {2020-03-09} } Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection
Ryuk TrickBot
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare
2020-03-02c'tChristian Wölbert
@online{wlbert:20200302:was:1b9cc93, author = {Christian Wölbert}, title = {{Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen}}, date = {2020-03-02}, organization = {c't}, url = {https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html}, language = {German}, urldate = {2020-03-02} } Was Emotet anrichtet – und welche Lehren die Opfer daraus ziehen
Emotet Ryuk
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus
2020-02-10MalwarebytesAdam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
@techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } 2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-29ZDNetCatalin Cimpanu
@online{cimpanu:20200129:dod:57de65d, author = {Catalin Cimpanu}, title = {{DOD contractor suffers ransomware infection}}, date = {2020-01-29}, organization = {ZDNet}, url = {https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/}, language = {English}, urldate = {2020-02-03} } DOD contractor suffers ransomware infection
Ryuk
2020-01-24ReversingLabsRobert Simmons
@online{simmons:20200124:hunting:f99f1f9, author = {Robert Simmons}, title = {{Hunting for Ransomware}}, date = {2020-01-24}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/hunting-for-ransomware}, language = {English}, urldate = {2020-01-29} } Hunting for Ransomware
Ryuk
2020-01-24Bleeping ComputerLawrence Abrams
@online{abrams:20200124:new:05d5a6a, author = {Lawrence Abrams}, title = {{New Ryuk Info Stealer Targets Government and Military Secrets}}, date = {2020-01-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/}, language = {English}, urldate = {2020-02-03} } New Ryuk Info Stealer Targets Government and Military Secrets
Ryuk
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos Ransomware REvil Ryuk SamSam Scarab Ransomware
2020-01-14Bleeping ComputerLawrence Abrams
@online{abrams:20200114:ryuk:b2e47fa, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices}}, date = {2020-01-14}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/}, language = {English}, urldate = {2020-01-15} } Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices
Ryuk
2020SecureworksSecureWorks
@online{secureworks:2020:gold:d8faa3e, author = {SecureWorks}, title = {{GOLD ULRICK}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-ulrick}, language = {English}, urldate = {2020-05-23} } GOLD ULRICK
Empire Downloader Ryuk TrickBot WIZARD SPIDER
2019-12-26Bleeping ComputerLawrence Abrams
@online{abrams:20191226:ryuk:acc2284, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Stops Encrypting Linux Folders}}, date = {2019-12-26}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/}, language = {English}, urldate = {2020-01-08} } Ryuk Ransomware Stops Encrypting Linux Folders
Ryuk
2019-12-21DecryptAdriana Hamacher
@online{hamacher:20191221:how:9d026a8, author = {Adriana Hamacher}, title = {{How ransomware exploded in the age of Bitcoin}}, date = {2019-12-21}, organization = {Decrypt}, url = {https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc}, language = {English}, urldate = {2020-01-13} } How ransomware exploded in the age of Bitcoin
Ryuk
2019-12-19MalwarebytesJovi Umawing
@online{umawing:20191219:threat:552a941, author = {Jovi Umawing}, title = {{Threat spotlight: the curious case of Ryuk ransomware}}, date = {2019-12-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/}, language = {English}, urldate = {2020-01-08} } Threat spotlight: the curious case of Ryuk ransomware
Ryuk
2019-12-15Bleeping ComputerLawrence Abrams
@online{abrams:20191215:ryuk:74f6eab, author = {Lawrence Abrams}, title = {{Ryuk Ransomware Likely Behind New Orleans Cyberattack}}, date = {2019-12-15}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/}, language = {English}, urldate = {2020-01-13} } Ryuk Ransomware Likely Behind New Orleans Cyberattack
Ryuk
2019-12-09EmsisoftEmsiSoft Malware Lab
@online{lab:20191209:caution:05ff83a, author = {EmsiSoft Malware Lab}, title = {{Caution! Ryuk Ransomware decryptor damages larger files, even if you pay}}, date = {2019-12-09}, organization = {Emsisoft}, url = {https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/}, language = {English}, urldate = {2020-01-07} } Caution! Ryuk Ransomware decryptor damages larger files, even if you pay
Ryuk
2019-11-27Twitter (@Prosegur)Prosegur
@online{prosegur:20191127:incident:bd76c3f, author = {Prosegur}, title = {{Tweet on Incident of Information Security}}, date = {2019-11-27}, organization = {Twitter (@Prosegur)}, url = {https://twitter.com/Prosegur/status/1199732264386596864}, language = {English}, urldate = {2020-01-09} } Tweet on Incident of Information Security
Ryuk
2019-11-06Heise SecurityThomas Hungenberg
@online{hungenberg:20191106:emotet:1605954, author = {Thomas Hungenberg}, title = {{Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail}}, date = {2019-11-06}, organization = {Heise Security}, url = {https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html}, language = {German}, urldate = {2020-01-06} } Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail
Emotet Ryuk TrickBot
2019-11-01CrowdStrikeAlexander Hanel, Brett Stone-Gross
@online{hanel:20191101:wizard:a34a09e, author = {Alexander Hanel and Brett Stone-Gross}, title = {{WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN}}, date = {2019-11-01}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/}, language = {English}, urldate = {2019-12-20} } WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN
Ryuk WIZARD SPIDER
2019-11CCN-CERTCCN-CERT
@online{ccncert:201911:informe:69b39b5, author = {CCN-CERT}, title = {{Informe Código Dañino CCN-CERT ID-26/19}}, date = {2019-11}, organization = {CCN-CERT}, url = {https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html}, language = {Espanyol}, urldate = {2020-01-10} } Informe Código Dañino CCN-CERT ID-26/19
Ryuk
2019-05-09GovCERT.chGovCERT.ch
@online{govcertch:20190509:severe:2767782, author = {GovCERT.ch}, title = {{Severe Ransomware Attacks Against Swiss SMEs}}, date = {2019-05-09}, organization = {GovCERT.ch}, url = {https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes}, language = {English}, urldate = {2019-07-11} } Severe Ransomware Attacks Against Swiss SMEs
Emotet LockerGoga Ryuk TrickBot
2019-04-05FireEyeBrendan McKeague, Van Ta, Ben Fedore, Geoff Ackerman, Alex Pennino, Andrew Thompson, Douglas Bienstock
@online{mckeague:20190405:picksix:d101a59, author = {Brendan McKeague and Van Ta and Ben Fedore and Geoff Ackerman and Alex Pennino and Andrew Thompson and Douglas Bienstock}, title = {{Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware}}, date = {2019-04-05}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html}, language = {English}, urldate = {2019-12-20} } Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware
LockerGoga Ryuk FIN6
2019-04-02CybereasonNoa Pinkas, Lior Rochberger, Matan Zatz
@online{pinkas:20190402:triple:10a3e37, author = {Noa Pinkas and Lior Rochberger and Matan Zatz}, title = {{Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk}}, date = {2019-04-02}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware}, language = {English}, urldate = {2020-01-09} } Triple Threat: Emotet Deploys Trickbot to Steal Data & Spread Ryuk
Ryuk TrickBot
2019-03-26ANSSIANSSI
@techreport{anssi:20190326:informations:7965c3d, author = {ANSSI}, title = {{INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK}}, date = {2019-03-26}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf}, language = {French}, urldate = {2020-01-10} } INFORMATIONS CONCERNANTLES RANÇONGICIELSLOCKERGOGA ET RYUK
Ryuk
2019-01-11FireEyeKimberly Goody, Jeremy Kennelly, Jaideep Natu, Christopher Glyer
@online{goody:20190111:nasty:3c872d4, author = {Kimberly Goody and Jeremy Kennelly and Jaideep Natu and Christopher Glyer}, title = {{A Nasty Trick: From Credential Theft Malware to Business Disruption}}, date = {2019-01-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html}, language = {English}, urldate = {2019-12-20} } A Nasty Trick: From Credential Theft Malware to Business Disruption
Ryuk TrickBot GRIM SPIDER WIZARD SPIDER
2019-01-10CrowdStrikeAlexander Hanel
@online{hanel:20190110:big:7e10bdf, author = {Alexander Hanel}, title = {{Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware}}, date = {2019-01-10}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/}, language = {English}, urldate = {2019-12-20} } Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware
Ryuk GRIM SPIDER MUMMY SPIDER STARDUST CHOLLIMA WIZARD SPIDER
2019-01-09McAfeeJohn Fokker, Christiaan Beek
@online{fokker:20190109:ryuk:350f477, author = {John Fokker and Christiaan Beek}, title = {{Ryuk Ransomware Attack: Rush to Attribution Misses the Point}}, date = {2019-01-09}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/}, language = {English}, urldate = {2020-01-09} } Ryuk Ransomware Attack: Rush to Attribution Misses the Point
Ryuk
2019Virus BulletinGabriela Nicolao, Luciano Martins
@techreport{nicolao:2019:shinigamis:8397861, author = {Gabriela Nicolao and Luciano Martins}, title = {{Shinigami's Revenge: The Long Tail of Ryuk Malware}}, date = {2019}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf}, language = {English}, urldate = {2020-01-05} } Shinigami's Revenge: The Long Tail of Ryuk Malware
Ryuk
2018-12-29Los Angeles TimesTony Barboza, Meg James, Emily Alpert Reyes
@online{barboza:20181229:malware:d5d8d0d, author = {Tony Barboza and Meg James and Emily Alpert Reyes}, title = {{Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.}}, date = {2018-12-29}, organization = {Los Angeles Times}, url = {https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html}, language = {English}, urldate = {2020-01-10} } Malware attack disrupts delivery of L.A. Times and Tribune papers across the U.S.
Ryuk
2018-08-20Check PointItay Cohen, Ben Herzog
@online{cohen:20180820:ryuk:5756495, author = {Itay Cohen and Ben Herzog}, title = {{Ryuk Ransomware: A Targeted Campaign Break-Down}}, date = {2018-08-20}, organization = {Check Point}, url = {https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/}, language = {English}, urldate = {2019-12-10} } Ryuk Ransomware: A Targeted Campaign Break-Down
Ryuk
Yara Rules
[TLP:WHITE] win_ryuk_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_ryuk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? b803000000 eb05 b805000000 }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   b803000000           | mov                 eax, 3
            //   eb05                 | jmp                 7
            //   b805000000           | mov                 eax, 5

        $sequence_1 = { 68???????? 6a01 6a00 6814010000 }
            // n = 4, score = 800
            //   68????????           |                     
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   6814010000           | push                0x114

        $sequence_2 = { e8???????? e8???????? b9e8030000 ff15???????? }
            // n = 4, score = 700
            //   e8????????           |                     
            //   e8????????           |                     
            //   b9e8030000           | mov                 ecx, 0x3e8
            //   ff15????????         |                     

        $sequence_3 = { 85c0 7508 6a01 ff15???????? 68???????? }
            // n = 5, score = 700
            //   85c0                 | test                eax, eax
            //   7508                 | jne                 0xa
            //   6a01                 | push                1
            //   ff15????????         |                     
            //   68????????           |                     

        $sequence_4 = { 4983c8ff e8???????? 488bc3 4883c430 5b c3 48895c2408 }
            // n = 7, score = 600
            //   4983c8ff             | inc                 ebp
            //   e8????????           |                     
            //   488bc3               | xor                 ecx, ecx
            //   4883c430             | inc                 ebp
            //   5b                   | xor                 eax, eax
            //   c3                   | dec                 eax
            //   48895c2408           | add                 esp, 0x28

        $sequence_5 = { 0f9fc0 5d c3 8bff 55 8bec 8b4508 }
            // n = 7, score = 600
            //   0f9fc0               | setg                al
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_6 = { ff7508 e8???????? 5e 5d c3 6a08 }
            // n = 6, score = 600
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   6a08                 | push                8

        $sequence_7 = { b809000000 e9???????? 4533c9 4533c0 33d2 }
            // n = 5, score = 600
            //   b809000000           | mov                 eax, 9
            //   e9????????           |                     
            //   4533c9               | inc                 ebp
            //   4533c0               | xor                 ecx, ecx
            //   33d2                 | inc                 ebp

        $sequence_8 = { 498bc1 c3 4053 4883ec20 8bc1 498bd8 }
            // n = 6, score = 600
            //   498bc1               | inc                 ebp
            //   c3                   | xor                 ecx, ecx
            //   4053                 | inc                 ebp
            //   4883ec20             | xor                 eax, eax
            //   8bc1                 | dec                 ecx
            //   498bd8               | mov                 eax, ecx

        $sequence_9 = { 0fb7c1 498bc8 66f3ab 488b7c2408 498bc1 c3 4053 }
            // n = 7, score = 600
            //   0fb7c1               | xor                 ecx, ecx
            //   498bc8               | dec                 eax
            //   66f3ab               | mov                 eax, ebx
            //   488b7c2408           | dec                 eax
            //   498bc1               | add                 esp, 0x30
            //   c3                   | pop                 ebx
            //   4053                 | ret                 

        $sequence_10 = { 8d7602 6685c9 75f1 5e 5d c3 8bff }
            // n = 7, score = 600
            //   8d7602               | lea                 esi, [esi + 2]
            //   6685c9               | test                cx, cx
            //   75f1                 | jne                 0xfffffff3
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8bff                 | mov                 edi, edi

        $sequence_11 = { c20400 8bff 55 8bec b8ffff0000 83ec18 }
            // n = 6, score = 600
            //   c20400               | ret                 4
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   b8ffff0000           | mov                 eax, 0xffff
            //   83ec18               | sub                 esp, 0x18

        $sequence_12 = { 4883c428 c3 48895c2408 57 4883ec30 8364242000 }
            // n = 6, score = 600
            //   4883c428             | dec                 eax
            //   c3                   | sub                 esp, 0x20
            //   48895c2408           | mov                 eax, ecx
            //   57                   | dec                 ecx
            //   4883ec30             | mov                 ebx, eax
            //   8364242000           | mov                 eax, 9

        $sequence_13 = { 7423 8078ff48 751d 803845 7518 80780152 7512 }
            // n = 7, score = 500
            //   7423                 | inc                 eax
            //   8078ff48             | push                ebx
            //   751d                 | dec                 eax
            //   803845               | sub                 esp, 0x20
            //   7518                 | mov                 eax, ecx
            //   80780152             | dec                 ecx
            //   7512                 | mov                 ebx, eax

        $sequence_14 = { 4533c9 4533c0 c744242003000000 ba00000040 }
            // n = 4, score = 500
            //   4533c9               | mov                 ecx, 0x3e8
            //   4533c0               | ret                 
            //   c744242003000000     | dec                 eax
            //   ba00000040           | mov                 dword ptr [esp + 8], ebx

        $sequence_15 = { ff15???????? 85c0 750a b804000000 e9???????? }
            // n = 5, score = 500
            //   ff15????????         |                     
            //   85c0                 | dec                 ecx
            //   750a                 | mov                 eax, ecx
            //   b804000000           | ret                 
            //   e9????????           |                     

        $sequence_16 = { e9???????? 6a04 6800100000 6810270000 }
            // n = 4, score = 500
            //   e9????????           |                     
            //   6a04                 | push                4
            //   6800100000           | push                0x1000
            //   6810270000           | push                0x2710

        $sequence_17 = { c744242802000000 4533c9 4533c0 c744242002000000 ba000000c0 }
            // n = 5, score = 500
            //   c744242802000000     | push                edi
            //   4533c9               | push                ebx
            //   4533c0               | test                eax, eax
            //   c744242002000000     | jne                 0x56
            //   ba000000c0           | push                0x10

        $sequence_18 = { 8bc1 2bc2 d1e8 03c2 c1e806 6bc05a }
            // n = 6, score = 500
            //   8bc1                 | mov                 dword ptr [esp + 8], ebx
            //   2bc2                 | dec                 eax
            //   d1e8                 | mov                 dword ptr [esp + 0x10], ebp
            //   03c2                 | rep stosd           dword ptr es:[edi], eax
            //   c1e806               | dec                 eax
            //   6bc05a               | mov                 edi, dword ptr [esp + 8]

        $sequence_19 = { 7407 48 85c0 7ff0 }
            // n = 4, score = 500
            //   7407                 | je                  9
            //   48                   | dec                 eax
            //   85c0                 | test                eax, eax
            //   7ff0                 | jg                  0xfffffff2

        $sequence_20 = { 488bcf ff15???????? 41b900800000 4533c0 488bd6 488bcf }
            // n = 6, score = 500
            //   488bcf               | xor                 ecx, ecx
            //   ff15????????         |                     
            //   41b900800000         | mov                 eax, 9
            //   4533c0               | inc                 ebp
            //   488bd6               | xor                 ecx, ecx
            //   488bcf               | inc                 ebp

        $sequence_21 = { 8b5c3050 ff15???????? 41b900300000 c744242040000000 448bc3 488bd6 }
            // n = 6, score = 500
            //   8b5c3050             | push                esi
            //   ff15????????         |                     
            //   41b900300000         | push                edi
            //   c744242040000000     | mov                 eax, 3
            //   448bc3               | jmp                 7
            //   488bd6               | mov                 eax, 5

        $sequence_22 = { 53 6a28 ffd6 50 }
            // n = 4, score = 400
            //   53                   | push                ebx
            //   6a28                 | push                0x28
            //   ffd6                 | call                esi
            //   50                   | push                eax

        $sequence_23 = { 33f6 56 56 ff15???????? 6800800000 56 57 }
            // n = 7, score = 400
            //   33f6                 | xor                 esi, esi
            //   56                   | push                esi
            //   56                   | push                esi
            //   ff15????????         |                     
            //   6800800000           | push                0x8000
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_24 = { 7407 b801000000 eb0b eb04 }
            // n = 4, score = 400
            //   7407                 | ret                 
            //   b801000000           | inc                 eax
            //   eb0b                 | push                ebx
            //   eb04                 | dec                 eax

        $sequence_25 = { 6a08 6a18 68???????? 68???????? 68???????? ff15???????? }
            // n = 6, score = 400
            //   6a08                 | push                8
            //   6a18                 | push                0x18
            //   68????????           |                     
            //   68????????           |                     
            //   68????????           |                     
            //   ff15????????         |                     

        $sequence_26 = { 57 53 ff15???????? 85c0 7554 6a10 }
            // n = 6, score = 400
            //   57                   | push                edi
            //   53                   | push                ebx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7554                 | jne                 0x56
            //   6a10                 | push                0x10

        $sequence_27 = { 6a00 ff15???????? 6a00 6a02 6a03 }
            // n = 5, score = 400
            //   6a00                 | mul                 ecx
            //   ff15????????         |                     
            //   6a00                 | mov                 eax, ecx
            //   6a02                 | sub                 eax, edx
            //   6a03                 | shr                 eax, 1

        $sequence_28 = { 7568 6a28 56 68???????? 57 53 ff15???????? }
            // n = 7, score = 400
            //   7568                 | jne                 0x6a
            //   6a28                 | push                0x28
            //   56                   | push                esi
            //   68????????           |                     
            //   57                   | push                edi
            //   53                   | push                ebx
            //   ff15????????         |                     

        $sequence_29 = { e8???????? 83c404 33c9 8b5508 66894c42e2 8b45fc }
            // n = 6, score = 300
            //   e8????????           |                     
            //   83c404               | pop                 esi
            //   33c9                 | pop                 ebp
            //   8b5508               | ret                 
            //   66894c42e2           | push                8
            //   8b45fc               | ret                 4

        $sequence_30 = { 57 ff15???????? b80c000000 5f }
            // n = 4, score = 200
            //   57                   | push                edi
            //   ff15????????         |                     
            //   b80c000000           | mov                 eax, 0xc
            //   5f                   | pop                 edi

        $sequence_31 = { 6a0a c1e818 51 50 }
            // n = 4, score = 200
            //   6a0a                 | push                0xa
            //   c1e818               | shr                 eax, 0x18
            //   51                   | push                ecx
            //   50                   | push                eax

        $sequence_32 = { 51 6a00 ffd6 6800400000 6a40 }
            // n = 5, score = 200
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   ffd6                 | call                esi
            //   6800400000           | push                0x4000
            //   6a40                 | push                0x40

        $sequence_33 = { 8d0c49 c1e103 51 6a00 }
            // n = 4, score = 200
            //   8d0c49               | lea                 ecx, [ecx + ecx*2]
            //   c1e103               | shl                 ecx, 3
            //   51                   | push                ecx
            //   6a00                 | push                0

        $sequence_34 = { 2bf0 33c0 66890473 83ffff }
            // n = 4, score = 200
            //   2bf0                 | sub                 esi, eax
            //   33c0                 | xor                 eax, eax
            //   66890473             | mov                 word ptr [ebx + esi*2], ax
            //   83ffff               | cmp                 edi, -1

        $sequence_35 = { ff15???????? b80f000000 5f 5e }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   b80f000000           | mov                 eax, 0xf
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_36 = { ff7004 ff30 e8???????? 68???????? 8d442410 c744241058234300 50 }
            // n = 7, score = 100
            //   ff7004               | push                dword ptr [eax + 4]
            //   ff30                 | push                dword ptr [eax]
            //   e8????????           |                     
            //   68????????           |                     
            //   8d442410             | lea                 eax, [esp + 0x10]
            //   c744241058234300     | mov                 dword ptr [esp + 0x10], 0x432358
            //   50                   | push                eax

        $sequence_37 = { c78540fdffff00000000 ff15???????? 8d856cfdffff 50 56 }
            // n = 5, score = 100
            //   c78540fdffff00000000     | mov    dword ptr [ebp - 0x2c0], 0
            //   ff15????????         |                     
            //   8d856cfdffff         | lea                 eax, [ebp - 0x294]
            //   50                   | push                eax
            //   56                   | push                esi

    condition:
        7 of them and filesize < 7450624
}
Download all Yara Rules