{ "id": "aa8b9bb0-b80b-4a1f-a03e-200c5b492cae", "created_at": "2026-04-06T00:10:21.094952Z", "updated_at": "2026-04-10T13:11:57.881183Z", "deleted_at": null, "sha1_hash": "a0a2f4420c3501d2644865618d66137a225303cb", "title": "SCYTHE Library: #ThreatThursday - Ryuk", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2120469, "plain_text": "SCYTHE Library: #ThreatThursday - Ryuk\r\nBy Jorge Orchilles\r\nPublished: 2020-11-05 · Archived: 2026-04-05 13:55:41 UTC\r\nWelcome back to another SCYTHE #ThreatThursday! This week, we take a deeper dive into emulating and\r\ndefending against the ransomware behind a recent spike in healthcare sector attacks -  Ryuk Ransomware. \r\nResearchers estimate that Ryuk has been behind a third of the ransomware attacks detected in 2020, including the\r\nlatest surge in hospital and healthcare IT system attacks.  The wave of healthcare sector Ryuk attacks even sparked\r\nan October 28th advisory from the FBI and departments of Homeland Security and Health and Human Services.   \r\nIn this #ThreatThursday, we speak with CyberScoop’s Sean Lyngaas, highlight common underlying Ryuk\r\ncharacteristics, build and deploy an emulation of a Ryuk attack, and discuss opportunities for security teams to\r\nfine-tune their system alerts and defensive strategies so you too can test yourself before Ryuk strikes again!   \r\nRyuk Basics: Cyber Threat Intelligence\r\nOriginally discovered in 2018, Ryuk’s danger and sophistication stems from the fact that it is often paired with\r\nother malware such as TrickBot or Kegtap to target victims in particularly vulnerable and critical industries like\r\nhealthcare. The presence of Ryuk is typically an indicator that other malware has also infected a system.\r\nCode comparison has found that Ryuk is based off of the source code of a commodity ransomware Hermes.  The\r\nthreat actor using Ryuk is Eastern European and known as UNC1878 according to FireEye. \r\nhttps://www.scythe.io/library/threatthursday-ryuk\r\nPage 1 of 8\n\nRyuk initial access is generally via email and deployed by a loader such as Bazar/Kegtap. Kegtap performs\r\ndiscovery over the course of multiple days and disables Windows Defender before running Ryuk to encrypt the\r\nendpoints. The loader malware often looks to prepare the environment so that Ryuk can run optimally. For the\r\npurposes of our emulation, we looked to include both the behaviors of a loader malware and Ryuk as most cyber\r\nthreat intelligence have lumped it all together as “Ryuk”.\r\nCyber Threat Intelligence sources consumed for creating this adversary emulation plan include: \r\nhttps://thedfirreport.com/2020/10/08/ryuks-return/\r\nhttps://research.checkpoint.com/2018/ryuk-ransomware-targeted-campaign-break/\r\nhttps://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/\r\nhttps://unit42.paloaltonetworks.com/atoms/ryuk-ransomware/ \r\nhttps://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ \r\nIn this week’s video we interview Sean Lyngaas from CyberScoop on what he is seeing and hearing about Ryuk.\r\nWe show the MITRE ATT\u0026CK Mapping of the Ryuk behaviors/TTPs as well as perform the adversary emulation\r\nwith SCYTHE.\r\nRyuk Adversary Emulation Plan\r\nAfter consuming the Cyber Threat Intelligence reports and mapping to MITRE ATT\u0026CK (shared on our GitHub),\r\nwe organized the TTPs by Tactic and created a threat profile for Ryuk (below). We also created and shared the\r\nentire Ryuk adversary emulation plan in the SCYTHE Community Threats GitHub.\r\nTactic Description\r\nCommand and Control\r\nT1071 - Application Layer Protocol\r\nT1105 - Ingress Tool Transfer\r\nT1219 - Remote Access Software\r\nT1573 - Encrypted Channel\r\nhttps://www.scythe.io/library/threatthursday-ryuk\r\nPage 2 of 8\n\nCollection T1074 - Data Staged\r\nExecution\r\nT1059 - Command and Scripting Interpreter\r\nT1059.001 - PowerShell\r\nT1059.003 - Windows Command Shell\r\nT1053 - Scheduled Task/Job\r\nT1053.005 - Scheduled Task\r\nDefense Evasion\r\nT1078 - Valid Accounts\r\nT1078.003 - Local Accounts\r\nT1140 - Deobfuscate/Decode Files or Information\r\nCredential Access\r\nT1003 - OS Credential Dumping\r\nT1003.001 - LSASS Memory\r\nPersistence\r\nT1547 - Boot or Logon Autostart Execution\r\nT1547.001 - Registry Run Keys / Startup Folder\r\nDiscovery\r\nT1018 - Remote System Discovery\r\nT1057 - Process Discovery\r\nT1082 - System Information Discovery\r\nT1083 - File and Directory Discovery\r\nT1087 - Account Discovery\r\nT1087.002 - Domain Account\r\nT1482 - Domain Trust Discovery\r\nExfiltration T1041 - Exfiltration Over C2 Channel\r\nhttps://www.scythe.io/library/threatthursday-ryuk\r\nPage 3 of 8\n\nImpact T1486 - Data Encrypted for Impact\r\nTaskkill.bat\r\nUpon execution, Ryuk looks to stop a large number of hard coded tasks. This is an attempt to shut down antivirus\r\nand backup agents to ensure its effectiveness. Because we do not want to actually shut down services on a\r\nproduction endpoint that we are testing our emulation on, we chose to add Ryuk’s steps to a .bat file and use our\r\ndownloader module to bring it on disk.\r\nDiscovery via adf.bat\r\nRyuk uses the AdFind.exe that we saw in FIN6’s Threat Thursday. However, it chooses to run AdFind through a\r\nfile called adf.bat. In the script, it enumerates information about the domain while saving the results into multiple\r\nfiles. For our emulation, we did just that and proceeded to exfiltrate the data.\r\nhttps://www.scythe.io/library/threatthursday-ryuk\r\nPage 4 of 8\n\nDiscovery on Day 2\r\nAccording to breakdowns of Ryuk’s behavior, Ryuk does its discovery over the course of two days. On the first\r\nday, it looks for information about the domain via adf.bat. On the following day, it will actually use\r\nPowerView.ps1 to gain information about Local Admin Access and system information. \r\nhttps://www.scythe.io/library/threatthursday-ryuk\r\nPage 5 of 8\n\nRyuk Ransomware\r\nThe Ryuk ransomware component is straight forward and as usual, SCYTHE performs this in a safe, professional\r\nmanner that will not impact your enterprise production systems. First, we create a new directory with new\r\nfiles. Then we emulate the same adversary behaviors of encrypting the files, deleting the original files, and\r\ndownloading a ransom note.\r\nDefend against Ryuk\r\nhttps://www.scythe.io/library/threatthursday-ryuk\r\nPage 6 of 8\n\nAcross the threat analysis of Ryuk we see not only commonailites regarding IOC’s and TTPs, but also in explicit\r\ncommands and actions which are in use by this current version of the ransomware attack. The explicit commands,\r\npaired with the detailed account of compromise timelines, allow defenders some great insights in building up their\r\ndefenses against Ryuk. It is also worth noting that Ryuk shares numerous TTP’s in common with other Threat\r\nActors allowing for some pre-existing detections to catch on to the Threat, such as the means it uses to query for\r\nActive Directory information in its Discovery phase.\r\nRyuk includes many of the “greatest hits” when it comes to what should be considered non-standard user endpoint\r\nbehaviors as it utilizes the standard fare of “commands no standard end user should ever run”. These commands\r\ninclude the use of cmd.exe and powershell to run “net view” and “net group”, “nltest.exe”, “-EncodedCommand”\r\nflags, “reg query”, and of course “adfind.exe”. All of the behaviors in that list should be straightforward from a\r\nlogging and flagging perspective, assuming that you have a means of centralized logging and alerting.\r\nRyuk uses some more “advanced” techniques to achieve its goals, ranging from Kerberoast to WMIC for lateral\r\nmovement. Although it can be daunting to craft advanced technique detections, there are still some behaviors\r\nwhich are convenient for defenders to witness, such as the mounting of remote drives via cmd.exe.\r\nAnother Ryuk detection comes from its attempt to stop services and processes across a wide range of defensive\r\nand backup software; therefore even alerting on services such as “Sophos Agent” or “Veeam Backup” going\r\noffline unexpectedly across your environment provides a vital IOC for Ryuk.\r\nFinally, as with any ransomware, the ability to alert on massive and sweeping file creation, deletion, and\r\nencryption is extremely insightful to an organization as it permits  defenders to fine tune their alerts. These sorts of\r\nalerts are very difficult to create and tune accordingly as they require granular per-endpoint configurations.\r\nAlthough the “holy grail” of file manipulation detections would come through Windows monitoring, it is worth\r\nnoting that the use of canary files can be a helpful tripwire to stem the tide of a ransomware onslaught.\r\nConclusion\r\nWhile Ryuk is a relatively “young” and destructive ransomware, defenders can leverage cyber threat intelligence\r\nbased adversary emulation to implement tailored alerts.  Threat researchers have identified and catalogued Ryuk’s\r\nkey components in publicly available threat intelligence, enabling defenders to map it to MITRE ATT\u0026CK and\r\ncreate an adversary emulation plan that covers not only the ransomware’s TTPs but also the environment\r\npreparation behavior that the loader malware executes. Leveraging the Ryuk adversary  emulation plan outlined\r\nabove will aid  system defenders in developing methods for detecting and preventing Ryuk’s current specific\r\nactions. \r\nThis Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing\r\nthreat. The information in this post should be considered preliminary and may be updated as research continues.\r\nThis information is provided “as-is” without any warranty or condition of any kind, either express or implied.\r\n#ThreatThursday Library\r\nLearn more about SCYTHE’s weekly Threat Thursday research reports by going to the #ThreatThursday page in\r\nour Unicorn Library, watching the videos on SCYTHE’s YouTube Channel, or follow #ThreatThursday and our\r\nhttps://www.scythe.io/library/threatthursday-ryuk\r\nPage 7 of 8\n\nCTO, Jorge Orchilles (@jorgeorchilles) on Twitter.\r\nAbout SCYTHE\r\nSCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market.\r\nThe SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial\r\ncampaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their\r\nbusiness and employees and the performance of enterprise security teams and existing security solutions. Based in\r\nArlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution\r\nEquity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or\r\nfollow on Twitter @scythe_io. \r\nSource: https://www.scythe.io/library/threatthursday-ryuk\r\nhttps://www.scythe.io/library/threatthursday-ryuk\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.scythe.io/library/threatthursday-ryuk" ], "report_names": [ "threatthursday-ryuk" ], "threat_actors": [ { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "ab9d6b30-7c60-4d0b-8f49-e2e913c28508", "created_at": "2022-10-25T16:07:24.584775Z", "updated_at": "2026-04-10T02:00:05.042135Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "ETDA:UNC1878", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "Ryuk", "Team9Backdoor", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "0a4f4edc-ea8c-4a30-8ded-35394e29de01", "created_at": "2023-01-06T13:46:39.178183Z", "updated_at": "2026-04-10T02:00:03.23716Z", "deleted_at": null, "main_name": "UNC1878", "aliases": [], "source_name": "MISPGALAXY:UNC1878", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434221, "ts_updated_at": 1775826717, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a0a2f4420c3501d2644865618d66137a225303cb.pdf", "text": "https://archive.orkl.eu/a0a2f4420c3501d2644865618d66137a225303cb.txt", "img": "https://archive.orkl.eu/a0a2f4420c3501d2644865618d66137a225303cb.jpg" } }