{ "id": "ddadd71e-967a-4275-b098-556955f6cbf9", "created_at": "2026-04-06T00:06:10.331385Z", "updated_at": "2026-04-10T03:33:27.356015Z", "deleted_at": null, "sha1_hash": "5f5ec28132cdbe45891d349342385331108620ba", "title": "Ryuk Speed Run, 2 Hours to Ransom", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 730001, "plain_text": "Ryuk Speed Run, 2 Hours to Ransom\r\nBy editor\r\nPublished: 2020-11-05 · Archived: 2026-04-05 22:33:18 UTC\r\nIntro\r\nSince the end of September Ryuk has been screaming back into the news. We’ve already covered 2 cases in that timeframe.\r\nWe’ve seen major healthcare providers, managed service providers, and furniture manufactures all reportedly being hit. The\r\nCyber Security and Infrastructure Security Agency (CISA) released an advisory claiming that a mass Ryuk campaign against\r\nthe United States healthcare system was an imminent threat.\r\nFireEye released a post, and hosted a webinar with SANS and @likethecoins, detailing a group FireEye identifies as UNC\r\n1878. In their report, they describe a threat actor’s TTPs that align with the activity we’ve previously reported on. They\r\nindicated in their investigations and responses of seeing the group take just 2 to 5 days from entry to full domain\r\nransomware deployment. In our cases we’ve seen even faster action, with the threat actors seemly trying to speed-run their\r\nransomware deployment. In this most recent case, ransomware was deployed in 2 hours with the actor completing all\r\nobjectives in 3 hours.\r\nRed Canary released a post recently on how they, with the support of Kroll, stopped a Ryuk intrusion at a hospital. This\r\nreport includes 10 detection ideas as well as a feel good story on how they stopped the intrusion. We need more reports like\r\nthis, especially right now.\r\nSCYTHE recently put out an adversary emulation plan and a post based on our previous Ryuk reports. You can check out\r\nthe post here and the free emulation plan here. Great job @jorgeorchilles, @seanqsun and the rest of the SCYTHE team for\r\nsharing this with the community!\r\nCase Summary\r\nLike in our prior two reports of Ryuk campaigns, the initial access came from phishing emails containing links to google\r\ndrive that when clicked, downloaded a Bazar Loader backdoor executable. In our prior cases we generally saw a lag time,\r\nranging hours to days, from the initial click to Ryuk. In this case, the time from initial Bazar execution to domain recon was\r\n5 minutes, and deployment of  Cobalt Strike beacons was within 10 minutes. This is by far the quickest we have seen them\r\nact.\r\nAfter bringing in Cobalt Strike, we saw familiar TTP’s with using AdFind to continue domain discovery activity. In this\r\ncase, we saw them deploy persistence on the beachhead host, an action we had not previously seen in our other cases. After\r\nestablishing another C2 for an additional Cobalt Strike beacon, they employed the Zerologon exploit (CVE 2020-1472) and\r\nobtained domain admin level privileges. We also saw host process injection on the beachhead used for obfuscation and\r\nprivilege escalation.\r\nWith domain administrator privileges obtained, the threat actors then moved laterally throughout the network using SMB\r\nand RDP to deploy Cobalt Strike beacons on the domain controllers around 1 hour after the initial execution of Bazar. On\r\nthe domain controllers, some additional discovery was done using the PowerShell Active Directory module. From there,\r\nthey targeted other severs in the environment; specifically, back up systems, file servers, and software deployment servers.\r\nAfter establishing Cobalt Strike beacons on those they felt ready to proceed to their final objectives.\r\nAt the 2 hour mark the threat actors made the move to deploy Ryuk ransomware by establishing RDP connections from the\r\ndomain controllers to servers. This continued for the next hour until the entire domain had been encrypted, with that work\r\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/\r\nPage 1 of 17\n\ncompleting just 3 hours after the first Bazar Loader was executed.\r\nTimeline\r\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/\r\nPage 2 of 17\n\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/\r\nPage 3 of 17\n\nMITRE ATT\u0026CK\r\nInitial Access\r\nInitial access via a phishing email that linked to a google docs page that enticed the user to download a report, which was  a\r\nBazar Loader executable file instead Report-Review20-10.exe.\r\nExecution\r\nExecution of the initial Bazar Loader malware relies on user interaction.\r\nExecutables transferred over SMB during lateral movement were commonly executed via a service.\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\ff49429\\ImagePath\r\nDetails: \\\\HOSTNAME\\ADMIN$\\ff49429.exe\"\r\nPersistence\r\nThis time, unlike prior investigations, clear persistence was found setup on the beachhead host. Firefox.exe created these\r\nscheduled tasks as well as the run key.\r\n\"C:\\Windows\\System32\\schtasks.exe\" /CREATE /SC ONSTART /TN jf0c /TR \"'C:\\Users\\pagefilerpqy.exe'\" /f\r\n\"C:\\Windows\\System32\\schtasks.exe\" /CREATE /SC ONSTART /TN jf0c /TR \"'C:\\Users\\pagefilerpqy.exe'\" /f /RL HIGHE\r\n\"C:\\Windows\\System32\\schtasks.exe\" /CREATE /SC ONCE /ST 17:21:58 /TN 9T6ukfi6 /TR \"'C:\\Users\\pagefilerpqy.exe\r\n\"C:\\Windows\\System32\\schtasks.exe\" /CREATE /SC ONCE /ST 17:21:58 /TN 9T6ukfi6 /TR \"'C:\\Users\\pagefilerpqy.exe\r\nREG ADD \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \\\"microsoft update\\\" /t REG_SZ /F /D \"SCHTASKS\r\nPrivilege Escalation\r\nThe Zerologon vulnerability CVE 2020-1472 was again exploited to obtain domain admin level privileges.\r\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/\r\nPage 4 of 17\n\nCredential Access\r\nRubeus was used to kerberoast the environment.\r\nDefense Evasion\r\nProcess injection was used on the beachhead host to to inject into svchost.exe\r\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/\r\nPage 5 of 17\n\nThe Bazar Loader malware was using a code signing certificate signed by Digicert under the organization NOSOV SP Z O\r\nO\r\nAt the time of delivery, the executable had a detection rate of 1/69 in Virustotal.\r\nThe Cobalt Strike beacons used in the environment used similar code signing certificates.\r\nDiscovery\r\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/\r\nPage 6 of 17\n\nIn previous cases, we generally saw some lag time between infection and further actions but this time things moved much\r\nquicker, starting with initial discovery executed by Bazar less than 5 minutes after initial execution.\r\nDiscovery command run by Bazar:\r\nnet view /all\r\nnet view /all /domain\r\nnltest /domain_trusts /all_trusts\r\nnet localgroup \"administrator\"\r\nnet group \"domain admins\" /dom\r\nSeven minutes later, after launching a Cobalt Strike beacon, AdFind was used– running the same discovery pattern seen in\r\nprevious reporting. This was started via a bat script. It appears that the threat actors are now piping these commands into a\r\nbatch file one at a time instead of dropping adf.bat to disk.\r\nAdFind.exe -f \"(objectcategory=person)\"\r\nAdFind.exe -f \"(objectcategory=computer)\"\r\nAdFind.exe -f \"(objectcategory=organizationalUnit)\"\r\nAdFind.exe -sc trustdmp\r\nAdFind.exe -subnets -f \"(objectCategory=subnet)\"\r\nAdFind.exe -f \"(objectcategory=group)\"\r\nAdFind.exe -gcb -sc trustdmp\r\nOnce on the domain controller the PowerShell Active Directory module was loaded.\r\nLateral Movement\r\nRDP connections were initiated from Cobalt Strike Beacons running on the beachhead host to two domain controllers and\r\nthen Cobalt Strike executables were dropped by these connections.\r\nIn addition to using RDP to move around the environment execuatables were also transferred over SMB to ADMIN$ shares\r\nand executed as a service.\r\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/\r\nPage 7 of 17\n\n\\\\HOSTNAME\\ADMIN$\\ff49429.exe\r\nCommand and Control\r\nBazar Loader:\r\nReport-Review20-10.exe\r\ndghns.xyz\r\n34.222.33.48:443\r\nCertificate[0e:bb:b8:4f:04:fe:7a:fe:2f:b6:59:58:fc:bd:05:f8:2e:c6:1e:f8 ]\r\nNot Before 2020/10/20 01:55:40\r\nNot After 2021/01/18 00:55:40\r\nIssuer Org Let's Encrypt\r\nSubject Common dghns.xyz [dghns.xyz ,www.dghns.xyz ]\r\nPublic Algorithm rsaEncryption\r\nJA3: 9e10692f1b7f78228b2d4e424db3a98c\r\nJA3s: 2b33c1374db4ddf06942f92373c0b54b\r\nCobalt Strike (suspected):\r\nrundll32.exe\r\nchecktodrivers.com\r\n45.153.240.240:443\r\nCertificate [ac:67:f2:b1:b0:5a:bd:f4:9f:23:98:0e:a9:8c:fd:8c:0f:56:b2:58 ]\r\nNot Before 2020/10/20 17:00:33\r\nNot After 2021/10/20 17:00:33\r\nIssuer Org lol\r\nSubject Common checktodrivers.com\r\nSubject Org lol\r\nPublic Algorithm rsaEncryption\r\nJA3: 37f463bf4616ecd445d4a1937da06e19\r\nJA3s: ae4edc6faf64d08308082ad26be60767\r\nrundll32.exe\r\ntopservicebooster.com108.62.12.121:443\r\nCertificate [35:ef:11:c8:a5:2c:b9:44:37:1b:cf:fd:27:50:79:31:69:f7:da:a9 ]\r\nNot Before 2020/10/20 10:51:32\r\nNot After 2021/10/20 10:51:32 Issuer Org lol\r\nSubject Common topservicebooster.com\r\nSubject Org lol\r\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/\r\nPage 8 of 17\n\nPublic Algorithm rsaEncryptionJA3: 2c14bfb3f8a2067fbc88d8345e9f97f3\r\nJA3s: 649d6810e8392f63dc311eecb6b7098b\r\npagefilerpqy.exe\r\nchaseltd.top\r\n161.117.191.245:80\r\nhttp://chaseltd[.]top/gate[.]php\r\nExfiltration\r\nDiscovery data (AdFind and Rubeus outputs ) was exfiltrated out of the network via FTP.\r\n5.2.70.149:21\r\nImpact\r\nAt roughly the 2 hour mark, we saw the threat actors begin to act on their final objectives. RDP connections were initiated\r\nfrom one of the domain controllers and the Ryuk executables were deployed and executed over these RDP connections.\r\nServers such as the backup systems, file servers, and automation tools were targeted first, followed by workstations.\r\nCommands ran prior to ransom execution:\r\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/\r\nPage 9 of 17\n\n\"C:\\Windows\\system32\\net1 stop \"\"samss\"\" /y\"\r\n\"C:\\Windows\\system32\\net1 stop \"\"veeamcatalogsvc\"\" /y\"\r\n\"C:\\Windows\\system32\\net1 stop \"\"veeamcloudsvc\"\" /y\"\r\n\"C:\\Windows\\system32\\net1 stop \"\"veeamdeploysvc\"\" /y\"\r\n\"C:\\Windows\\System32\\net.exe\"\" stop \"\"samss\"\" /y\"\r\n\"C:\\Windows\\System32\\net.exe\"\" stop \"\"veeamcatalogsvc\"\" /y\"\r\n\"C:\\Windows\\System32\\net.exe\"\" stop \"\"veeamcloudsvc\"\" /y\"\r\n\"C:\\Windows\\System32\\net.exe\"\" stop \"\"veeamdeploysvc\"\" /y\"\r\n\"C:\\Windows\\System32\\taskkill.exe\"\" /IM sqlbrowser.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\"\" /IM sqlceip.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\"\" /IM sqlservr.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\"\" /IM sqlwriter.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\"\" /IM veeam.backup.agent.configurationservice.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\"\" /IM veeam.backup.brokerservice.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\"\" /IM veeam.backup.catalogdataservice.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\"\" /IM veeam.backup.cloudservice.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\"\" /IM veeam.backup.externalinfrastructure.dbprovider.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\"\" /IM veeam.backup.manager.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\"\" /IM veeam.backup.mountservice.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\"\" /IM veeam.backup.service.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\"\" /IM veeam.backup.uiserver.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\"\" /IM veeam.backup.wmiserver.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\"\" /IM veeamdeploymentsvc.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\"\" /IM veeamfilesysvsssvc.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\"\" /IM veeam.guest.interaction.proxy.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\"\" /IM veeamnfssvc.exe /F\"\r\n\"C:\\Windows\\System32\\taskkill.exe\"\" /IM veeamtransportsvc.exe /F\"\r\n\"C:\\Windows\\system32\\taskmgr.exe\"\" /4\"\r\n\"C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding\"\r\n\"C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding\"\r\n\"icacls \"\"C:\\*\"\" /grant Everyone:F /T /C /Q\"\r\n\"icacls \"\"D:\\*\"\" /grant Everyone:F /T /C /Q\"\r\nWhile encryption was started 2 hours into the attack, by the 3 hour mark the actors had completed ransom of the entire\r\nenvironment.\r\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/\r\nPage 10 of 17\n\nEnjoy our report? Please consider donating $1 or more to the project using Patreon. Thank you for your support!\r\nWe also have pcaps, files, memory images, and Kape packages available here.\r\nIOCs\r\nNetwork\r\n34.222.33.48:443\r\ndghns.xyz\r\n45.153.240.240:443\r\nchecktodrivers.com\r\n108.62.12.121:443\r\ntopservicebooster.com\r\n161.117.191.245:80\r\nchaseltd.top\r\n5.2.70.149:21\r\nFile\r\nReport-Review20-10.exe.exe\r\n8d35e058f5631c80b00dd695511878e3\r\n8103299196efabec8ec0fc1d25f1332241b93220\r\n0d468fc1b02bbc7c3050c67e0a80b580c69abd8eea5f8dad06c7d7ff396f7789\r\nFirefox.exe\r\n114057ad47a297e4092131386932456e\r\nc9882d860e685869fcd8e997622d37d1ab43bcd6\r\n3fc65b7e7967353f340ead51617558a23f14447ab91d974268f53ab0c17052e0\r\npagefilerpqy.exe\r\n9b45c64d56523e21a268f8deb5cfa680\r\n0a3f3bd9ae705af63779e8ca2be55d0db1253521\r\na4468c28e4830acf526209c0da25536ff0f682a0239ced1983a08d1ddd476963\r\npagefileU6Gl.sys\r\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/\r\nPage 11 of 17\n\n7f1de29e6da19d22b51c68001e7e0e54\r\n40f7c01f4189510031adccd9c604a128adaf9b00\r\n13671077b66a29874a2578b5240319092ef2a1043228e433e9b006b5e53e7513\r\npagefilerpqy.sys\r\n92cc227532d17e56e07902b254dfad10\r\n8ee51caaa2c2f4ee2e5b4b7ef5a89db7df1068d7\r\n8241649609f88ccd2a0a5b233a07a538ec313ff6adf695aa44a969dbca39f67d\r\nAdFind.exe\r\nb3447ef9400d7f3f87ad24f89874f91a\r\n75e3782ef880aa6eb9df135c3b3f23eece9a2af3\r\n68d0f5659cf3cc1cf53519e1be482ca9a63f2deebdcd2cb7ee12515adc6db0a7\r\nPL64.exe\r\nc64266fd6142af402b1c7539be0ad02f\r\n3f0471775bb22695f0ed112582c058a63dac0f07\r\na7514209db9d9c7c51927308d4f0b491464e11391af3c6ae31cb87d91fac995d\r\nfx2-12_multi_for_crypt_x86.exe\r\nfa24b3608c7f556424ec17c2265da994\r\n357fbf27a30748812ce5aa3b298451c2eef88e6f\r\n34007d53a8e64bf1dbbeace9e4878fb209878e6a6843251895d4dc9c2699056e\r\nDetections\r\nNetwork\r\n2025194 ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)\r\n2023882 ET INFO HTTP Request to a *.top domain\r\nET INFO Observed DNS Query for EmerDNS_TLD (.bazar)\r\nET NETBIOS DCERPC SVCCTL - Remote Service Control Manager Access\r\nSigma\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/malware/win_mal_ryuk.yml\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.y\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_trust_discovery.yml\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_net_execution.yml\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_net_execution.yml\r\nDetects AdFind usage from a past case:\r\ntitle: AdFind Recon\r\ndescription: Threat Actor using AdFind for reconnaissance.\r\nauthor: The DFIR Report\r\ndate: 2019/8/2\r\nreferences:\r\n - https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/\r\ntags:\r\n - attack.remote_system_discovery\r\n - attack.T1018\r\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/\r\nPage 12 of 17\n\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection_1:\r\n CommandLine|contains:\r\n - adfind -f objectcategory=computer\r\n selection_2:\r\n CommandLine|contains:\r\n - adfind -gcb -sc trustdmp\r\n condition: selection_1 or selection_2\r\nfalsepositives:\r\n - Legitimate Administrator using tool for Active Directory querying\r\nlevel: medium\r\nstatus: experimental\r\nYara\r\n/*\r\nYARA Rule Set\r\nAuthor: The DFIR Report\r\nDate: 2020-10-31\r\nIdentifier: files\r\nReference: https://thedfirreport.com/\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule ryuk_1007_fx2_12_multi_for_crypt_x86 {\r\nmeta:\r\ndescription = \"files - file fx2-12_multi_for_crypt_x86.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2020-10-31\"\r\nhash1 = \"34007d53a8e64bf1dbbeace9e4878fb209878e6a6843251895d4dc9c2699056e\"\r\nstrings:\r\n$s1 = \"gOleAut32.dll\" fullword wide\r\n$s2 = \"__ZN12_GLOBAL__N_110fake_mutexE\" fullword ascii\r\n$s3 = \"__ZZN12_GLOBAL__N_116get_static_mutexEvE4once\" fullword ascii\r\n$s4 = \"__gthread_mutex_t\" fullword ascii\r\n$s5 = \"__gthread_recursive_mutex_t\" fullword ascii\r\n$s6 = \"__ZNSt12__basic_fileIcEC2EP17__gthread_mutex_t\" fullword ascii\r\n$s7 = \"__ZNSt12__basic_fileIcEC1EP17__gthread_mutex_t\" fullword ascii\r\n$s8 = \"__ZGVZN12_GLOBAL__N_116get_locale_mutexEvE12locale_mutex\" fullword ascii\r\n$s9 = \"__ZZN12_GLOBAL__N_116get_locale_mutexEvE12locale_mutex\" fullword ascii\r\n$s10 = \"__ZN12_GLOBAL__N_116get_locale_mutexEv\" fullword ascii\r\n$s11 = \"hmutex\" fullword ascii\r\n$s12 = \"__ZGVZN12_GLOBAL__N_122get_locale_cache_mutexEvE18locale_cache_mutex\" fullword ascii\r\n$s13 = \"__ZZN12_GLOBAL__N_122get_locale_cache_mutexEvE18locale_cache_mutex\" fullword ascii\r\n$s14 = \"__gthr_win32_mutex_init_function\" fullword ascii\r\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/\r\nPage 13 of 17\n\n$s15 = \"___gthr_win32_recursive_mutex_init_function\" fullword ascii\r\n$s16 = \"__gthr_win32_recursive_mutex_init_function\" fullword ascii\r\n$s17 = \"___gthr_win32_mutex_init_function\" fullword ascii\r\n$s18 = \"___gthr_win32_mutex_lock\" fullword ascii\r\n$s19 = \"__gthr_win32_recursive_mutex_lock\" fullword ascii\r\n$s20 = \"___gthr_win32_recursive_mutex_lock\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 4000KB and\r\n( pe.imphash() == \"d36627a0f5a150566b96bff0bfb0e763\" or 8 of them )\r\n}\r\nrule ryuk3_1007_pagefilerpqy {\r\nmeta:\r\ndescription = \"files - file pagefilerpqy.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2020-10-31\"\r\nhash1 = \"a4468c28e4830acf526209c0da25536ff0f682a0239ced1983a08d1ddd476963\"\r\nstrings:\r\n$s1 = \"youtube.com\" fullword ascii\r\n$s2 = \"amazon.com\" fullword ascii\r\n$s3 = \"ebay.com\" fullword ascii\r\n$s4 = \"mymutex\" fullword ascii\r\n$s5 = \"User-Agent: Mozilla/5.0 (Windows NT \" fullword ascii\r\n$s6 = \"Accept-language: \" fullword ascii\r\n$s7 = \"Agent, \" fullword wide\r\n$s8 = \"TARAT d.o.o.1\" fullword ascii\r\n$s9 = \"TARAT d.o.o.0\" fullword ascii\r\n$s10 = \"; Trident/7.0; rv:11.0) like Gecko\" fullword ascii\r\n$s11 = \") AppleWebKit/537.36 (KHTML, like Gecko) Chrome/\" fullword ascii\r\n$s12 = \".0) Gecko/20100101 Firefox/\" fullword ascii\r\n$s13 = \" /RL HIGHEST\" fullword wide\r\n$s14 = \"/CREATE /SC ONSTART\" fullword wide\r\n$s15 = \"Referer: https://www.\" fullword ascii\r\n$s16 = \"Bapi-ms-win-appmodel-runtime-l1-1-1\" fullword wide\r\n$s17 = \" Agent\" fullword wide\r\n$s18 = \"Badvapi32\" fullword wide\r\n$s19 = \"Ljubljana1\" fullword ascii\r\n$s20 = \"Mozilla\" fullword ascii /* Goodware String - occured 26 times */\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 800KB and\r\n( pe.imphash() == \"ee60dc6086fb4fce34e1e9ff4767a8b8\" or 8 of them )\r\n}\r\nrule ryuk3_1007_Firefox {\r\nmeta:\r\ndescription = \"files - file Firefox.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2020-10-31\"\r\nhash1 = \"3fc65b7e7967353f340ead51617558a23f14447ab91d974268f53ab0c17052e0\"\r\nstrings:\r\n$s1 = \"youtube.com\" fullword ascii\r\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/\r\nPage 14 of 17\n\n$s2 = \"amazon.com\" fullword ascii\n$s3 = \"ebay.com\" fullword ascii\n$s4 = \"mymutex\" fullword ascii\n$s5 = \"User-Agent: Mozilla/5.0 (Windows NT \" fullword ascii\n$s6 = \"Accept-language: \" fullword ascii\n$s7 = \"Agent, \" fullword wide\n$s8 = \"TARAT d.o.o.1\" fullword ascii\n$s9 = \"TARAT d.o.o.0\" fullword ascii\n$s10 = \"; Trident/7.0; rv:11.0) like Gecko\" fullword ascii\n$s11 = \") AppleWebKit/537.36 (KHTML, like Gecko) Chrome/\" fullword ascii\n$s12 = \".0) Gecko/20100101 Firefox/\" fullword ascii\n$s13 = \" /RL HIGHEST\" fullword wide\n$s14 = \"/CREATE /SC ONSTART\" fullword wide\n$s15 = \"Referer: https://www.\" fullword ascii\n$s16 = \"Bapi-ms-win-appmodel-runtime-l1-1-1\" fullword wide\n$s17 = \" Agent\" fullword wide\n$s18 = \"Badvapi32\" fullword wide\n$s19 = \"Ljubljana1\" fullword ascii\n$s20 = \"Mozilla\" fullword ascii /* Goodware String - occured 26 times */\ncondition:\nuint16(0) == 0x5a4d and filesize \u003c 800KB and\n( pe.imphash() == \"ee60dc6086fb4fce34e1e9ff4767a8b8\" or 8 of them )\n}\nrule ryuk3_1007_PL64 {\nmeta:\ndescription = \"files - file PL64.exe\"\nauthor = \"The DFIR Report\"\nreference = \"https://thedfirreport.com/\"\ndate = \"2020-10-31\"\nhash1 = \"a7514209db9d9c7c51927308d4f0b491464e11391af3c6ae31cb87d91fac995d\"\nstrings:\n$s1 = \"reindex -? will give you the usage for each command\" fullword wide\n$s2 = \"\" fullword ascii\n$s3 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\n$s4 = \"Usage: %s %s%s\" fullword wide\n$s5 = \"B:\\\\WindowsSDK7-Samples-master\\\\WindowsSDK7-Samples-master\\\\winui\\\\WindowsSearch\\\\ReindexMatchingUrls\\\\\n$s6 = \"Failed to reindex - %s\" fullword wide\n$s7 = \"Supported commands:\" fullword wide\n$s8 = \"SUBCOMMAND\" fullword wide\n$s9 = \" (EX. reindex where System.ItemNameDisplay = 'test.txt')\" fullword wide\n$s10 = \"No command specified.\" fullword wide\n$s11 = \"Command not recognized: %s\" fullword wide\n$s12 = \"Reindexing - %s\" fullword wide\n$s13 = \"Reindexed - %s\" fullword wide\n$s14 = \".?AVCReindexMatchingWhereClauseCommand@@\" fullword ascii\n$s15 = \".?AVCReindexWhereClauseCommand@@\" fullword ascii\n$s16 = \".?AVCMetaCommand@@\" fullword ascii\n$s17 = \".?AVCReindexMatchingMimeTypeCommand@@\" fullword ascii\n$s18 = \".?AVCReindexMatchingFileTypeCommand@@\" fullword ascii\n$s19 = \"Unrecognized option: %s%s%s\" fullword wide\n$s20 = \"OnItemsChanged(%s) failed with 0x%x\" fullword wide\ncondition:\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/\nPage 15 of 17\n\nuint16(0) == 0x5a4d and filesize \u003c 2000KB and\r\n( pe.imphash() == \"102983d1d06c7d80b040d45e9425a96f\" or 8 of them )\r\n}\r\n/* Super Rules ------------------------------------------------------------- */\r\nrule ryuk3_1007_pagefilerpqy_Firefox_0 {\r\nmeta:\r\ndescription = \"files - from files pagefilerpqy.exe, Firefox.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2020-10-31\"\r\nhash1 = \"a4468c28e4830acf526209c0da25536ff0f682a0239ced1983a08d1ddd476963\"\r\nhash2 = \"3fc65b7e7967353f340ead51617558a23f14447ab91d974268f53ab0c17052e0\"\r\nstrings:\r\n$s1 = \"youtube.com\" fullword ascii\r\n$s2 = \"amazon.com\" fullword ascii\r\n$s3 = \"ebay.com\" fullword ascii\r\n$s4 = \"mymutex\" fullword ascii\r\n$s5 = \"User-Agent: Mozilla/5.0 (Windows NT \" fullword ascii\r\n$s6 = \"Accept-language: \" fullword ascii\r\n$s7 = \"Agent, \" fullword wide\r\n$s8 = \"TARAT d.o.o.1\" fullword ascii\r\n$s9 = \"TARAT d.o.o.0\" fullword ascii\r\n$s10 = \"; Trident/7.0; rv:11.0) like Gecko\" fullword ascii\r\n$s11 = \") AppleWebKit/537.36 (KHTML, like Gecko) Chrome/\" fullword ascii\r\n$s12 = \".0) Gecko/20100101 Firefox/\" fullword ascii\r\n$s13 = \" /RL HIGHEST\" fullword wide\r\n$s14 = \"/CREATE /SC ONSTART\" fullword wide\r\n$s15 = \"Referer: https://www.\" fullword ascii\r\n$s16 = \"Bapi-ms-win-appmodel-runtime-l1-1-1\" fullword wide\r\n$s17 = \" Agent\" fullword wide\r\n$s18 = \"Badvapi32\" fullword wide\r\n$s19 = \"Ljubljana1\" fullword ascii\r\n$s20 = \"Mozilla\" fullword ascii /* Goodware String - occured 26 times */\r\ncondition:\r\n( uint16(0) == 0x5a4d and filesize \u003c 800KB and pe.imphash() == \"ee60dc6086fb4fce34e1e9ff4767a8b8\" and ( 8 of t\r\n) or ( all of them )\r\n}\r\nMITRE\r\nSpearphishing Link – T1566.002\r\nPowerShell – T1059.001\r\nCommand-Line Interface – T1059\r\nUser Execution – T1204\r\nProcess Injection – T1055\r\nExploitation for Privilege Escalation – T1068\r\nDomain Trust Discovery – T1482\r\nDomain Groups – T1069.002\r\nDomain Account – T1087.002\r\nRemote System Discovery – T1018\r\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/\r\nPage 16 of 17\n\nSMB/Windows Admin Shares – T1021.002\r\nRemote Desktop Protocol – T1021.001\r\nArchive Collected Data – T1560\r\nExfiltration Over Unencrypted/Obfuscated Non-C2 Protocol – T1048.003\r\nStandard Application Layer Protocol – T1071\r\nCommonly Used Port – T1043\r\nData Encrypted for Impact – T1486\r\nCode Signing – T1553.002\r\nService Execution – T1569.002\r\nScheduled Task – T1053.005\r\nRegistry Run Keys / Startup Folder – T1547.001\r\nCredential Access – T1558.003\r\nIndicators Linked to Threat Actor Group\r\nUNC 1878 Indicators released by FireEye:\r\nhttps://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456\r\nUNC 1878 Indicators from Threatconnect:\r\nhttps://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv\r\nInternal Case 1007\r\nSource: https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/\r\nhttps://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "Malpedia" ], "references": [ "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" ], "report_names": [ "ryuk-speed-run-2-hours-to-ransom" ], "threat_actors": [ { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "ab9d6b30-7c60-4d0b-8f49-e2e913c28508", "created_at": "2022-10-25T16:07:24.584775Z", "updated_at": "2026-04-10T02:00:05.042135Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "ETDA:UNC1878", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "Ryuk", "Team9Backdoor", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "0a4f4edc-ea8c-4a30-8ded-35394e29de01", "created_at": "2023-01-06T13:46:39.178183Z", "updated_at": "2026-04-10T02:00:03.23716Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "MISPGALAXY:UNC1878", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433970, "ts_updated_at": 1775792007, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5f5ec28132cdbe45891d349342385331108620ba.pdf", "text": "https://archive.orkl.eu/5f5ec28132cdbe45891d349342385331108620ba.txt", "img": "https://archive.orkl.eu/5f5ec28132cdbe45891d349342385331108620ba.jpg" } }