{
	"id": "8529ff38-56d0-4f5a-9cd4-aca762a7beb6",
	"created_at": "2026-04-06T00:18:51.138691Z",
	"updated_at": "2026-04-10T13:12:39.884247Z",
	"deleted_at": null,
	"sha1_hash": "72a7eda10dc06de11c7850f5418a57806b3f211d",
	"title": "Cybereason vs. Ryuk Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 793231,
	"plain_text": "Cybereason vs. Ryuk Ransomware\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 21:46:54 UTC\r\nWhat is Ryuk Ransomware?\r\nRyuk ransomware has been infecting victims since around 2018, and is believed to be based on the source code of\r\nHermes ransomware, which was sold on an internet hacking forum back in 2017. Since its inception, Ryuk has\r\nbeen used to target large organizations to great effect, having accumulated as much as $61.26 million (as of Feb\r\n2020) in ransom payments according to federal investigations. \r\nOne of the reasons behind Ryuk’s unfortunate success is the threat actor’s capacity to evolve their tactics,\r\ntechniques and procedures (TTPs). Since early last year, the TrickBot information stealer trojan has been a more\r\nor less constant partner-in-crime, with many campaigns also including other malware, frameworks and tools. The\r\nmentioned campaign utilized the EMPIRE framework,  and in later campaigns the same year Cybereason\r\nobserved Emotet downloading TrickBot deploying Ryuk. \r\nIn March of 2020, the threat actors temporarily stopped deploying Ryuk, and a new ransomware called Conti was\r\nintroduced. Researchers found that the code bases were similar, implying this could be the successor to Ryuk.\r\nHowever, in September 2020 Ryuk made a swift return, and with Conti infections still happening alongside it, the\r\nevidence pointed to Conti not being a successor so much as a new, different strain of malware. \r\nShortly after the start of Ryuk’s hiatus, a new malware called BazarLoader was observed being delivered by\r\nTrickBot. Currently, evidence suggests that Ryuk, Conti and BazarLoader are used by the same threat actor.\r\nRyuk ransomware is most often seen as the final payload in a larger targeted attack against a corporation, and\r\nsince its return in September, it has been mainly via TrickBot or BazarLoader infections.\r\nCybereason Detects and Blocks Ryuk Ransomware\r\nCybereason detects the various execution phases of Ryuk in detail, including process injection, persistence\r\ncreation and shadow copy deletion as detailed below in the Execution Overview section. With the proper settings\r\napplied to sensors in the customer environment, Cybereason can stop the Ryuk ransomware before it encrypts user\r\nfiles.\r\nWith Anti-Ransomware mode enabled, the Ryuk execution is stopped before encrypting the hard drive. A ransom\r\nnote can be found in folders where the malware attempted to encrypt files, but the user’s files were saved. If Anti-Malware is enabled the sample will be removed before execution. The following video provides a quick\r\ndemonstration of Cybereason’s detection and prevention capabilities against Ryuk ransomware:\r\nhttps://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware\r\nPage 1 of 7\n\nExecution Overview\r\nhttps://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware\r\nPage 2 of 7\n\nRyuk ransomware execution as detected by the Cybereason sensor\r\nOnce the Ryuk binary is executed, the sample creates a copy of itself (the randomly named child process of Ryuk\r\nin the screenshot below is a copy of Ryuk - ltbyhrc.exe) to execute with argument “8 LAN”. This function uses the\r\ndevice’s ARP table to find machines on the local LAN and send Wake-on-Lan packets to them, which if successful\r\nmounts the C$ share on the machine and proceeds to encrypt the remote drive.\r\nBoth the original binary and the dropped copy (ltbyhrc.exe) perform the same tasks - attempting to stop the\r\nservices “audioendpointbuilder”, “samss” and “sqlwriter”, then attempting to delete shadow copies and create\r\npersistence. Before encryption, the malware also utilizes icacls.exe - a program to change Access Control Lists - to\r\ngive itself full control over all files and folders on the C: and D: drives.\r\nThe original binary can also be seen injecting into other processes which Cybereason detects and tags with\r\nfloating executable code suspicions. \r\nSuccessful execution will encrypt the user files and append a .RYK extension to them. In order to avoid corrupting\r\nthe system, certain files such as .DLL and .EXE files are not encrypted. Folders that are traversed by Ryuk contain\r\nhttps://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware\r\nPage 3 of 7\n\na “RyukReadMe.html” file, which in this sample is very barebones, simply contains the name of the malware and\r\na mail address without any further instructions. Perhaps the threat actors believe their reputation precedes them?\r\nLeft: encrypted files with .RYK name extensions. Right: Ryuk ransom note\r\nFor a more in-depth analysis of Ryuk, please refer to this Cybereason report: Triple Threat: Emotet Deploys\r\nTrickBot to Steal Data \u0026 Spread Ryuk.\r\nMITRE ATT\u0026CK Breakdown\r\nhttps://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware\r\nPage 4 of 7\n\nImpact Execution\r\nPrivilege\r\nEscalation\r\nPersistence Discovery\r\nDefense\r\nEvasion\r\nService\r\nStop\r\nCommand and\r\nScripting\r\nInterpreter:\r\nWindows\r\nCommand Shell\r\nProcess\r\nInjection\r\nBoot or Logon\r\nAutostart\r\nExecution:\r\nRegistry Run Keys\r\n/ Startup Folder\r\nSystem Network\r\nConfiguration\r\nDiscovery\r\nImpair\r\nDefenses:\r\nDisable or\r\nModify Tools\r\nInhibit\r\nSystem\r\nRecovery\r\nNative API    \r\nFile and\r\nDirectory\r\nDiscovery\r\n \r\nData\r\nEncrypted\r\nfor Impact\r\n     \r\nProcess\r\nDiscovery\r\n \r\nInhibit\r\nSystem\r\nRecovery\r\n         \r\nINDICATORS OF COMPROMISE\r\nRyuk executables\r\nSHA-256\r\n92f124ea5217f3fe5cbab1c37a961df0437d5a9cbde1af268c60c4b3194b80ed\r\nd0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe\r\n4023a9849ee7d0c7bd80fc779e1d929c69112e324456578136c159e40449cc15\r\ndf3b813d049f8cbd0c8a3b9bb54fba9d385837dc6cced6186157c2adae56ad0e\r\n8a75b7f15ad770bb5a95b7900ac866a1845b3f20f5d22b8918d1f300435b4fc6\r\n0bb18ca131a6ee05ef081f008330d8075369a66a3e034f2412c70405d1397608\r\n44f0da753b38e9ac80f420855d40c4368a906cecb16630d80719e8f758a8c68a\r\nhttps://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware\r\nPage 5 of 7\n\nf266f0a4c5213f23a42787a88cd2e8df76d71b3397ed7cc45b6b535fe34a57dd\r\nBae0d9f0625000dd028c3a747b461c28e5fb5412e0de23a1f2fc2d754ac0d0fa\r\nda83298aae66af3e646b1d9aea2ce8b79514e4681e97faa020d403ca980534fd\r\n1d40658975e461af39f142b2eec149a3ec1d0071bbaf53020d8068e72243322b\r\nB624b3b297c5ebac42fabe2371b42d3add17bdb8c811ca5b51e5f27a96360a2e\r\nSHA-1\r\nE62135254b3a51f0180e70a11e4c3ad4a59f81c4\r\n71015f9c281038d63bf7cd45894550c1a26c6b53\r\nA6caaa8f8ab2680ce2179a7571a466beb1b60447\r\n3780f5828fc05bf74649393169f70fafb0ffed25\r\n7ad297507ca71d65c46013e02fc635bc75b0e3a2\r\nF155befc8c3c054f3858a6d3e86a7b04c0a4f5dc\r\n0a5b7330c1e06837b7d47936297f80a87c9057d9\r\n2584992238615ecbfdb83b2d86f6227d07ae4f96\r\nB1f6e6eed8dcdf4d354660c2dbec141ada621eb8\r\n845c2c82415669f8c8b3f565519e29d26d3b1f8a\r\n7ddbc35d1612162538496eb5ece5fc1b6bce6eb8\r\n834d876b47ae8e595ae417a370cd47cc8e061131\r\nJoakim Kandefelt\r\nJoakim Kandefelt is a Security Analyst at Cybereason and part of the Nocturnus Research Team.\r\nhttps://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware\r\nPage 6 of 7\n\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government\r\nintelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing\r\nnew attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The\r\nCybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit\r\ncyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware\r\nhttps://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware"
	],
	"report_names": [
		"cybereason-vs.-ryuk-ransomware"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434731,
	"ts_updated_at": 1775826759,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/72a7eda10dc06de11c7850f5418a57806b3f211d.pdf",
		"text": "https://archive.orkl.eu/72a7eda10dc06de11c7850f5418a57806b3f211d.txt",
		"img": "https://archive.orkl.eu/72a7eda10dc06de11c7850f5418a57806b3f211d.jpg"
	}
}