{
	"id": "9be78d49-dc48-4c8f-81f9-ff6cdac124be",
	"created_at": "2026-04-06T00:07:25.266203Z",
	"updated_at": "2026-04-10T03:21:19.585703Z",
	"deleted_at": null,
	"sha1_hash": "3decdf4855593917ab3dfa1bd92a9d4dee71b6d5",
	"title": "Threat Assessment: Ryuk Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45767,
	"plain_text": "Threat Assessment: Ryuk Ransomware\r\nBy Brittany Barbehenn, Doel Santos, Brad Duncan\r\nPublished: 2020-10-30 · Archived: 2026-04-05 14:00:59 UTC\r\nTactic Technique [Mitre ATT\u0026CK ID] Product / Service Course of Action\r\nInitial Access\r\nNGFW Setup File Blocking\r\nThreat Prevention†\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3' Ensure a secure antivirus\r\nprofile is applied to all relevant security policies\r\nWildFire†\r\nEnsure that WildFire file size upload limits are maximized Ensure forwarding is enabled for all applications and\r\nfile types in WildFire file blocking profiles Ensure a WildFire Analysis profile is enabled for all security policies\r\nEnsure forwarding of decrypted content to WildFire is enabled Ensure all WildFire session information settings\r\nare enabled Ensure alerts are enabled for malicious files detected by WildFire Ensure 'WildFire Update Schedule'\r\nis set to download and install updates every minute Cortex XDR Configure Malware Security Profile\r\nCortex XSOAR\r\nDeploy XSOAR Playbook - Phishing Investigation - Generic V2 Deploy XSOAR Playbook - Endpoint Malware\r\nInvestigation\r\nNGFW\r\nEnsure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not exist Ensure 'Security Policy'\r\ndenying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists\r\nThreat Prevention†\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3' Ensure a secure antivirus\r\nprofile is applied to all relevant security policies Ensure that User Credential Submission uses the action of\r\n“block” or “continue” on the URL categories\r\nURL Filtering†\r\nEnsure that PAN-DB URL Filtering is used Ensure that URL Filtering uses the action of “block” or “override” on\r\nthe \u003centerprise approved value\u003e URL categories Ensure that access to every URL is logged Ensure all HTTP\r\nhttps://unit42.paloaltonetworks.com/ryuk-ransomware/\r\nPage 1 of 5\n\nHeader Logging options are enabled Ensure secure URL filtering is enabled for all security policies allowing\r\ntraffic to the Internet\r\nWildFire†\r\nEnsure that WildFire file size upload limits are maximized Ensure forwarding is enabled for all applications and\r\nfile types in WildFire file blocking profiles Ensure a WildFire Analysis profile is enabled for all security policies\r\nEnsure forwarding of decrypted content to WildFire is enabled Ensure all WildFire session information settings\r\nare enabled Ensure alerts are enabled for malicious files detected by WildFire Ensure 'WildFire Update Schedule'\r\nis set to download and install updates every minute\r\nCortex XSOAR\r\nDeploy XSOAR Playbook - Block URL Deploy XSOAR Playbook - Phishing Investigation - Generic V2\r\nNGFW\r\nEnsure that User-ID is only enabled for internal trusted interfaces Ensure that 'Include/Exclude Networks' is used\r\nif User-ID is enabled Ensure that the User-ID Agent has minimal permissions if User-ID is enabled Ensure that the\r\nUser-ID service account does not have interactive logon rights Ensure remote access capabilities for the User-ID\r\nservice account are forbidden. Ensure that security policies restrict User-ID Agent traffic from crossing into\r\nuntrusted zones\r\nThreat Prevention†\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3' Ensure a secure antivirus\r\nprofile is applied to all relevant security policies Ensure all zones have Zone Protection Profiles that drop specially\r\ncrafted packets\r\nCortex XSOAR\r\nDeploy XSOAR Playbook - Access Investigation Playbook Deploy XSOAR Playbook - Impossible Traveler\r\nDeploy XSOAR Playbook - Block Account Generic\r\nExecution\r\nNGFW\r\nEnsure that User-ID is only enabled for internal trusted interfaces Ensure that 'Include/Exclude Networks' is used\r\nif User-ID is enabled Ensure that the User-ID Agent has minimal permissions if User-ID is enabled Ensure that the\r\nUser-ID service account does not have interactive logon rights Ensure remote access capabilities for the User-ID\r\nservice account are forbidden. Ensure that security policies restrict User-ID Agent traffic from crossing into\r\nuntrusted zones\r\nThreat Prevention†\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3' Ensure a secure antivirus\r\nprofile is applied to all relevant security policies Ensure an anti-spyware profile is configured to block on all\r\nhttps://unit42.paloaltonetworks.com/ryuk-ransomware/\r\nPage 2 of 5\n\nspyware severity levels, categories, and threats Ensure DNS sinkholing is configured on all anti-spyware profiles\r\nin use Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet DNS Security† Enable DNS\r\nSecurity in Anti-Spyware profile\r\nURL Filtering†\r\nEnsure that PAN-DB URL Filtering is used Ensure that URL Filtering uses the action of “block” or “override” on\r\nthe \u003centerprise approved value\u003e URL categories Ensure that access to every URL is logged Ensure all HTTP\r\nHeader Logging options are enabled Ensure secure URL filtering is enabled for all security policies allowing\r\ntraffic to the Internet\r\nWildFire†\r\nEnsure that WildFire file size upload limits are maximized Ensure forwarding is enabled for all applications and\r\nfile types in WildFire file blocking profiles Ensure a WildFire Analysis profile is enabled for all security policies\r\nEnsure forwarding of decrypted content to WildFire is enabled Ensure all WildFire session information settings\r\nare enabled Ensure alerts are enabled for malicious files detected by WildFire Ensure 'WildFire Update Schedule'\r\nis set to download and install updates every minute\r\nCortex XDR\r\nEnable Anti-Exploit Protection Enable Anti-Malware Protection\r\nCortex XSOAR\r\nDeploy XSOAR Playbook - Phishing Investigation - Generic V2 Deploy XSOAR Playbook Cortex XDR - Isolate\r\nEndpoint Deploy XSOAR Playbook - Block Account Generic\r\nCortex XDR\r\nEnable Anti-Exploit Protection Enable Anti-Malware Protection Enable Anti-Exploit Protection Enable Anti-Malware Protection\r\nPersistence\r\nEnable Anti-Exploit Protection Enable Anti-Malware Protection Privilege Escalation Process Hollowing\r\n[T1055.012]\r\n(Process Injection [T1055]) Configure Behavioral Threat Protection under the Malware Security Profile\r\nDefense Evasion\r\nEnable Anti-Exploit Protection Enable Anti-Malware Protection Enable Anti-Exploit Protection Enable Anti-Malware Protection Configure Restrictions Security Profile WildFire† Configure Behavioral Threat Protection\r\nunder the Malware Security Profile\r\nCortex XDR\r\nhttps://unit42.paloaltonetworks.com/ryuk-ransomware/\r\nPage 3 of 5\n\nEnable Anti-Exploit Protection Enable Anti-Malware Protection\r\nWildFire†\r\nEnsure that WildFire file size upload limits are maximized Ensure forwarding is enabled for all applications and\r\nfile types in WildFire file blocking profiles Ensure a WildFire Analysis profile is enabled for all security policies\r\nEnsure forwarding of decrypted content to WildFire is enabled Ensure all WildFire session information settings\r\nare enabled Ensure alerts are enabled for malicious files detected by WildFire Ensure 'WildFire Update Schedule'\r\nis set to download and install updates every minute\r\nCortex XDR\r\nEnable Anti-Exploit Protection Enable Anti-Malware Protection\r\nCredential Access\r\nEnable Anti-Exploit Protection Enable Anti-Malware Protection Configure Restrictions Security Profile\r\nCollection\r\nEnable Anti-Exploit Protection Enable Anti-Malware Protection\r\nCommand and Control\r\nNGFW\r\nEnsure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not exist Ensure 'Security Policy'\r\ndenying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists\r\nThreat Prevention†\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3' Ensure a secure antivirus\r\nprofile is applied to all relevant security policies Ensure an anti-spyware profile is configured to block on all\r\nspyware severity levels, categories, and threats Ensure DNS sinkholing is configured on all anti-spyware profiles\r\nin use Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet DNS Security† Enable DNS\r\nSecurity in Anti-Spyware profile\r\nURL Filtering†\r\nEnsure that PAN-DB URL Filtering is used Ensure that URL Filtering uses the action of “block” or “override” on\r\nthe \u003centerprise approved value\u003e URL categories Ensure that access to every URL is logged Ensure all HTTP\r\nHeader Logging options are enabled Ensure secure URL filtering is enabled for all security policies allowing\r\ntraffic to the Internet\r\nCortex XSOAR\r\nhttps://unit42.paloaltonetworks.com/ryuk-ransomware/\r\nPage 4 of 5\n\nDeploy XSOAR Playbook - Block IP Deploy XSOAR Playbook - Block URL Deploy XSOAR Playbook -\r\nHunting C\u0026C Communication Playbook (Deprecated)\r\nExfiltration\r\nNGFW\r\nEnsure application security policies exist when allowing traffic from an untrusted zone to a more trusted zone\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not exist Ensure 'Security Policy'\r\ndenying any/all traffic to/from IP addresses on Trusted Threat Intelligence Sources Exists\r\nThreat Prevention†\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3' Ensure a secure antivirus\r\nprofile is applied to all relevant security policies Ensure an anti-spyware profile is configured to block on all\r\nspyware severity levels, categories, and threats Ensure DNS sinkholing is configured on all anti-spyware profiles\r\nin use Ensure passive DNS monitoring is set to enabled on all anti-spyware profiles in use Ensure a secure anti-spyware profile is applied to all security policies permitting traffic to the Internet DNS Security† Enable DNS\r\nSecurity in Anti-Spyware profile\r\nURL Filtering†\r\nEnsure that PAN-DB URL Filtering is used Ensure that URL Filtering uses the action of “block” or “override” on\r\nthe \u003centerprise approved value\u003e URL categories Ensure that access to every URL is logged Ensure all HTTP\r\nHeader Logging options are enabled Ensure secure URL filtering is enabled for all security policies allowing\r\ntraffic to the Internet\r\nCortex XSOAR\r\nDeploy XSOAR Playbook - Block IP Deploy XSOAR Playbook - Block URL Deploy XSOAR Playbook -\r\nHunting C\u0026C Communication Playbook (Deprecated) Deploy XSOAR Playbook - PAN-OS Query Logs for\r\nIndicators\r\nImpact\r\nData Encrypted for Impact [T1486] Deploy XSOAR Playbook - Ransomware Manual for incident response.\r\nInhibit System Recovery [T1490] Deploy XSOAR Playbook - Palo Alto Networks Endpoint Malware\r\nInvestigation\r\nCortex XDR\r\nEnable Anti-Exploit Protection Enable Anti-Malware Protection\r\nSource: https://unit42.paloaltonetworks.com/ryuk-ransomware/\r\nhttps://unit42.paloaltonetworks.com/ryuk-ransomware/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/ryuk-ransomware/"
	],
	"report_names": [
		"ryuk-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434045,
	"ts_updated_at": 1775791279,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3decdf4855593917ab3dfa1bd92a9d4dee71b6d5.pdf",
		"text": "https://archive.orkl.eu/3decdf4855593917ab3dfa1bd92a9d4dee71b6d5.txt",
		"img": "https://archive.orkl.eu/3decdf4855593917ab3dfa1bd92a9d4dee71b6d5.jpg"
	}
}