{
	"id": "873e8871-72bf-4ce3-be3f-a792cecac8cd",
	"created_at": "2026-04-06T00:15:01.948818Z",
	"updated_at": "2026-04-10T03:21:15.146219Z",
	"deleted_at": null,
	"sha1_hash": "514b94220eb75ddbd5db33afd3e954a3c5e3fcda",
	"title": "Ryuk Ransomware Likely Behind New Orleans Cyberattack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1132192,
	"plain_text": "Ryuk Ransomware Likely Behind New Orleans Cyberattack\r\nBy Lawrence Abrams\r\nPublished: 2019-12-15 · Archived: 2026-04-05 13:23:44 UTC\r\nBased on files uploaded to the VirusTotal scanning service, the ransomware attack on the City of New Orleans was likely\r\ndone by the Ryuk Ransomware threat actors.\r\nOn December 14th, 2019, one day after the City of New Orleans ransomware attack, what appear to be memory dumps of\r\nsuspicious executables were uploaded from an IP address from the USA to the VirusTotal scanning service.\r\nOne of these memory dumps, which contained numerous references to New Orleans and Ryuk, was later found by Colin\r\nCowie of Red Flare Security and shared with BleepingComputer.com.\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nAs memory dumps are a snapshot of the memory being used by an application while it is running, it can be used to extract\r\nuseful strings, file names, commands, and other information that the executable interacted with or executed. This allows\r\nmemory dumps to be used during cyber attack forensic investigations to learn more about how the attack was conducted.\r\nThe memory dump found by Cowie is for an executable named 'yoletby.exe' and contains numerous references to the City of\r\nNew Orleans including domain names, domain controllers, internal IP addresses, user names, file shares, and references to\r\nthe Ryuk ransomware. \r\nThe Ryuk ransomware strings included in the dump were the HERMES file marker, file names ending with the .ryk\r\nextension, and references to the created RyukReadMe.html ransom notes.\r\nRyuk and City of New Orleans strings\r\nAfter investigating the file further, BleepingComputer found an interesting reference to the C:\\Temp\\v2.exe executable that\r\nwas executed on the machine. It turns out that a memory dump for this file was also uploaded to VirusTotal.\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/\r\nPage 3 of 6\n\nv2.exe strings\r\nOf particular interest in the v2.exe memory dump is a string that refers to the New Orleans City Hall.\r\nAfter further digging around, BleepingComputer was able to find a v2.exe executable, and after executing it, was able to\r\nconfirm that it was the Ryuk ransomware.\r\nFiles encrypted by Ryuk after executing v2.exe\r\nWhile it is not known if this executable is the one used in the City of New Orleans attack, it does show that this filename is\r\nused in Ryuk attacks and the memory dumps show that a file of that name was used on an attack against the City of New\r\nOrleans.\r\nIf the City of New Orleans was indeed encrypted by Ryuk, which by the evidence seems likely, then this is just another\r\nvictim of Ryuk who has seen increased activity lately.\r\nBleepingComputer has contacted the City of New Orleans for confirmation that they were infected with Ryuk, but have not\r\nheard back at this time.\r\nEmotet and Trickbot likely present as well\r\nIf New Orleans was encrypted by Ryuk, there is also a very high chance that the Emotet and TrickBot infections are present\r\non the network as well\r\nEmotet is a malware infection that is commonly spread through spam emails that contain malicious attachments. When\r\nopened and macros enabled, these attachments will install the Emotet Trojan on the victim's computer.\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/\r\nPage 4 of 6\n\nEmotet will then use that infected computer to spam other computers with malicious attachments and also download further\r\nmalware on the computer.\r\nOne of the most common malware installed by Emotet is the TrickBot information-stealing Trojan.\r\nWhen executed, TrickBot will connect back to a command and control server where it will receive commands to load\r\nvarious modules that steal information from the computer or install even further malware.\r\nAfter the TrickBot actors collect all valuable information and data from the computer, it will then open a reverse shell back\r\nto the Ryuk actors.\r\nFrom there, the Ryuk team will perform reconnaissance of the network, collect admin passwords, take over domain\r\ncontrollers, and utilize post-exploitation toolkits such as PowerShell Empire.\r\nThis is why all network admins need to realize that if they have been encrypted by Ryuk, there has commonly been a\r\nmalware presence on their network for quite a while and that other data may have been stolen or compromised.\r\nWhat does this mean for the City of New Orleans?\r\nIt means that in addition to the Ryuk Ransomware infection, they also have to deal with the fact that attackers have been\r\nsnooping around their data for some time.\r\nThe city will need to be more diligent against targeted phishing attacks, tighten security on their network, and change\r\npasswords.\r\nAlso, as it is unknown what financial information may have been attained by the attackers, the City of New Orleans should\r\ncontact their banking partners and put new procedures in place regarding how money is transferred.\r\nUpdate 12/15/19: Updated article to include how Emotet and Trickbot are usually found with Ryuk infections.\r\nThx  @vagab0ndsec and @QW5kcmV3.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/\r\nPage 5 of 6\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/"
	],
	"report_names": [
		"ryuk-ransomware-likely-behind-new-orleans-cyberattack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434501,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/514b94220eb75ddbd5db33afd3e954a3c5e3fcda.pdf",
		"text": "https://archive.orkl.eu/514b94220eb75ddbd5db33afd3e954a3c5e3fcda.txt",
		"img": "https://archive.orkl.eu/514b94220eb75ddbd5db33afd3e954a3c5e3fcda.jpg"
	}
}