{ "id": "a3c5a9fd-31ba-4c0e-bc2e-7f00fe199305", "created_at": "2026-04-06T00:16:07.450598Z", "updated_at": "2026-04-10T03:38:19.528007Z", "deleted_at": null, "sha1_hash": "a3fa228c10383db3494a940e77703a670313e55d", "title": "Threat spotlight: the curious case of Ryuk ransomware | Malwarebytes Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3134479, "plain_text": "Threat spotlight: the curious case of Ryuk ransomware |\r\nMalwarebytes Labs\r\nBy Jovi Umawing\r\nPublished: 2019-12-11 · Archived: 2026-04-05 19:51:33 UTC\r\nRyuk. A name once unique to a fictional character in a popular Japanese comic book and cartoon series is now a\r\nname that appears in several rosters of the nastiest ransomware to ever grace the wild web.\r\nFor an incredibly young strain—only 15 months old—Ryuk ransomware gaining such notoriety is quite a feat to\r\nachieve. Unless the threat actors behind its campaigns call it quits, too—Remember GandCrab?—or law\r\nenforcement collars them for good, we can only expect the threat of Ryuk to loom large over organizations.\r\nFirst discovered in mid-August 2018, Ryuk immediately turned heads after disrupting operations of all Tribune\r\nPublishing newspapers over the Christmas holiday that year. What was initially thought of as a server outage soon\r\nbecame clear to those affected that it was actually a malware attack. It was quarantined eventually; however, Ryuk\r\nre-infected and spread onto connected systems in the network because the security patches failed to hold when\r\ntech teams brought the servers back.\r\nBig game hunting with Ryuk ransomware\r\nBefore the holiday attack on Tribune Publishing, Ryuk had been seen targeting various enterprise organizations\r\nworldwide, asking ransom payments ranging from 15 to 50 Bitcoins (BTC). That translates to between US$97,000\r\nand $320,000 at time of valuation.\r\nThis method of exclusively targeting large organizations with critical assets that almost always guarantees a high\r\nROI for criminals is called “big game hunting.” It’s not easy to pull off, as such targeted attacks also involve the\r\ncustomization of campaigns to best suit targets and, in turn, increase the likelihood of their effectiveness. This\r\nrequires much more work than a simple “spray-and-pray” approach that can capture numerous targets but may not\r\nnet such lucrative results.\r\nFor threat actors engaged in big game hunting, malicious campaigns are launched in phases. For example, they\r\nmay start with a phishing attack to gather key credentials or drop malware within an organization’s network to do\r\nextensive mapping, identifying crucial assets to target. Then they might deploy second and third phases of attacks\r\nfor extended espionage, extortion, and eventual ransom.\r\nTo date, Ryuk ransomware is hailed as the costliest among its peers. According to a report by Coveware, a first-of-its-kind incident response company specializing in ransomware, Ryuk’s asking price is 10 times the average, yet\r\nthey also claim that ransoms are highly negotiable. The varying ways adversaries work out ransom payments\r\nsuggests that there may be more than one criminal group who have access to and are operating Ryuk ransomware.\r\nThe who behind Ryuk\r\nhttps://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/\r\nPage 1 of 9\n\nAccurately pinpointing the origin of an attack or malware strain is crucial, as it reveals as much about the threat\r\nactors behind attack campaigns as it does the payload itself. The name “Ryuk,” which has obvious Japanese ties, is\r\nnot a factor to consider when trying to discover who developed this ransomware. After all, it’s common practice\r\nfor cybercriminals to use handles based on favorite anime and manga characters. These days, a malware strain is\r\nmore than its name.\r\nInstead, similarities in code base, structure, attack vectors, and languages can point to relations between criminal\r\ngroups and their malware families. Security researchers from Check Point found a connection between the Ryuk\r\nand Hermes ransomware strains early on due to similarities in their code and structure, an association that persists\r\nup to this day. Because of this, many have assumed that Ryuk may also have ties with the Lazarus Group, the\r\nsame North Korean APT group that operated the Hermes ransomware in the past.\r\nRecommended read: Hermes ransomware distributed to South Koreans via recent Flash zero-day\r\nHowever, code likeness alone is insufficient basis to support the Ryuk/North Korean ties narrative. Hermes is a\r\nransomware kit that is frequently peddled on the underground market, making it available for other cybercriminals\r\nto use in their attack campaigns. Furthermore, separate research from cybersecurity experts at CrowdStrike,\r\nFireEye, Kryptos Logic, and McAfee has indicated that the gang behind Ryuk may actually be of Russian origin—\r\nand not necessarily nation-state sponsored.\r\nAs of this writing, the origins of Ryuk ransomware can be attributed (with high confidence, per some of our\r\ncybersecurity peers) to two criminal entities: Wizard Spider and CryptoTech.\r\nThe former is the well-known Russian cybercriminal group and operator of TrickBot; the latter is a Russian-speaking organization found selling Hermes 2.1 two months before the $58.5 million cyber heist that victimized\r\nthe Far Eastern International Bank (FEIB) in Taiwan. According to reports, this version of Hermes was used as a\r\ndecoy or “pseudo-ransomware,” a mere distraction from the real goal of the attack.\r\nWizard Spider\r\nRecent findings have revealed that Wizard Spider upgraded Ryuk to include a Wake-on-LAN (WoL) utility and an\r\nARP ping scanner in its arsenal. WoL is a network standard that allows computing devices connected to a network\r\n—regardless of which operating system they run—to be turned on remotely whenever they’re turned off, in sleep\r\nmode, or hibernating.\r\nARP pinging, on the other hand, is a way of discovering endpoints in a LAN network that are online. According to\r\nCrowdStrike, these new additions reveal Wizard Spider’s attempts to reach and infect as many of their target’s\r\nendpoints as they can, demonstrating a persistent focus and motivation to increasingly monetize their victims’\r\nencrypted data.\r\nCryptoTech\r\nTwo months ago, Gabriela Nicolao (@rove4ever) and Luciano Martins (@clucianomartins), both researchers at\r\nDeloitte Argentina, attributed Ryuk ransomware to CryptoTech, a little-known cybercriminal group that was\r\nhttps://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/\r\nPage 2 of 9\n\nobserved touting Hermes 2.1 in an underground forum back in August 2017. Hermes 2.1, the researchers say, is\r\nRyuk ransomware.\r\nIn a Virus Bulletin conference paper and presentation entitled Shinigami’s revenge: the long tail of the Ryuk\r\nransomware, Nicolao and Martins presented evidence to this claim: In June 2018, a couple of months before Ryuk\r\nmade its first public appearance, an underground forum poster expressed doubt on CryptoTech being the author of\r\nHermes 2.1, the ransomware toolkit they were peddling almost a year ago that time. CryptoTech’s response was\r\ninteresting, which Nicolao and Martins captured and annotated in the screenshot below.\r\nhttps://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/\r\nPage 3 of 9\n\nThe Deloitte researchers also noted that after Ryuk emerged, CryptoTech went quiet.\r\nCrowdStrike has estimated that from the time Ryuk was deployed until January of this year, their operators have\r\nnetted a total of 705.80 BTC, which is equivalent to US$5 million as of press time.\r\nRyuk ransomware infection vectors\r\nThere was a time when Ryuk ransomware arrived on clean systems to wreak havoc. But new strains observed in\r\nthe wild now belong to a multi-attack campaign that involves Emotet and TrickBot. As such, Ryuk variants arrive\r\non systems pre-infected with other malware—a “triple threat” attack methodology.\r\nThe first stage of the attack starts with a weaponized Microsoft Office document file—meaning, it contains\r\nmalicious macro code—attached to a phishing email. Once the user opens it, the malicious macro will run cmd\r\nand execute a PowerShell command. This command attempts to download Emotet.\r\nOnce Emotet executes, it retrieves and executes another malicious payload—usually TrickBot—and collects\r\ninformation on affected systems. It initiates the download and execution of TrickBot by reaching out to and\r\ndownloading from a pre-configured remote malicious host.\r\nOnce infected with TrickBot, the threat actors then check if the system is part of a sector they are targeting. If so,\r\nthey download an additional payload and use the admin credentials stolen using TrickBot to perform lateral\r\nmovement to reach the assets they wish to infect.\r\nThe threat actors then check for and establish a connection with the target’s live servers via a remote desktop\r\nprotocol (RDP). From there, they drop Ryuk.\r\nSymptoms of Ryuk infection\r\nhttps://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/\r\nPage 4 of 9\n\nSystems infected with the Ryuk ransomware displays the following symptoms:\r\nPresence of ransomware notes. Ryuk drops the ransom note, RyukReadMe.html or RyukReadMe.txt, in every\r\nfolder where it has encrypted files.\r\nThe HTML file, as you can see from the screenshot above, contains two private email addresses that affected\r\nparties can use to contact the threat actors, either to find out how much they need to pay to get access back to their\r\nencrypted files or to start the negotiation process.\r\nOn the other hand, the TXT ransom note contains (1) explicit instructions laid out for affected parties to read and\r\ncomply, (2) two private email addresses affected parties can contact, and (3) a Bitcoin wallet address. Although\r\nemail addresses may vary, it was noted that they are all accounts served at Protonmail or Tutanota. It was also\r\nnoted that a day after the unsealing of the indictment of two ransomware operators, Ryuk operators removed the\r\nBitcoin address from their ransom notes, stating that it will be given to those affected once they are contacted via\r\nemail.\r\nThere are usually two versions of the text ransom note: a polite version, which past research claims is comparable\r\nto BitPaymer’s due to certain similar phrasings; and a not-so-polite version.\r\nhttps://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/\r\nPage 5 of 9\n\nhttps://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/\r\nPage 6 of 9\n\nEncrypted files with the RYK string attached to extension names. Ryuk uses a combination of symmetric (via\r\nthe use of AES) and asymmetric (via the use of RSA) encryption to encode files. A private key, which only the\r\nthreat actor can supply, is needed to properly decrypt files.\r\nEncrypted files will have the .ryk file extension appended to the file names. For example, an encrypted sample.pdf\r\nand sample.mp4 files will have the sample.pdf.ryk and sample.mp4.ryk file names, respectively.\r\nThis scheme is effective, assuming that each Ryuk strain was tailor-made for their target organization.\r\nWhile Ryuk encrypts files on affected systems, it avoids files with the extension .exe, .dll, and .hrmlog (a file type\r\nassociated with Hermes). Ryuk also avoids encrypting files in the following folders:\r\nAhnLab\r\nChrome\r\nMicrosoft\r\nMozilla\r\nRecycle.bin\r\nWindows\r\nProtect your system from Ryuk\r\nMalwarebytes continues to track Ryuk ransomware campaigns, protecting our business users with real-time anti-malware and anti-ransomware technology, as well as signature-less detection, which stops the attack earlier on in\r\nthe chain. In addition, we protect against triple threat attacks aimed at delivering Ryuk as a final payload by\r\nblocking downloads of Emotet or TrickBot.\r\nhttps://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/\r\nPage 7 of 9\n\nWe recommend IT administrators take the following actions to secure and mitigate against Ryuk ransomware\r\nattacks:\r\nEducate every employee in the organization, including executives, on how to correctly handle suspicious\r\nemails.\r\nLimit the use of privilege accounts to only a select few in the organization.\r\nAvoid using RDPs without properly terminating the session.\r\nImplement the use of a password manager and single sign-on services for company-related accounts. Do\r\naway with other insecure password management practices.\r\nDeploy an authentication process that works for the company.\r\nDisable unnecessary share folders, so that in the event of a Ryuk ransomware attack, the malware is\r\nprevented from moving laterally in the network.\r\nMake sure that all software installed on endpoints and servers is up to date and all vulnerabilities are\r\npatched. Pay particular attention to patching CVE-2017-0144, a remote code-execution vulnerability. This\r\nwill prevent TrickBot and other malware exploiting this weakness from spreading.\r\nApply attachment filtering to email messages.\r\nDisable macros across the environment.\r\nFor a list of technologies and operations that have been found to be effective against Ryuk ransomware attacks,\r\nyou can go here.\r\nIndicators of Compromise (IOCs)\r\nTake note that professional cybercriminals sell Ryuk to other criminals on the black market as a toolkit for threat\r\nactors to build their own strain of the ransomware. As such, one shouldn’t be surprised by the number of Ryuk\r\nhttps://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/\r\nPage 8 of 9\n\nvariants that are wreaking havoc in the wild. Below is a list of file hashes that we have seen so far:\r\ncb0c1248d3899358a375888bb4e8f3fe\r\nd4a7c85f23438de8ebb5f8d6e04e55fc\r\n3895a370b0c69c7e23ebb5ca1598525d\r\n567407d941d99abeff20a1b836570d30\r\nc0d6a263181a04e9039df3372afb8016\r\nAs always—stay safe, everyone!\r\nAbout the author\r\nKnows a bit about everything and a lot about several somethings. Writes about those somethings, usually in long-form.\r\nSource: https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/\r\nhttps://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/" ], "report_names": [ "threat-spotlight-the-curious-case-of-ryuk-ransomware" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434567, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a3fa228c10383db3494a940e77703a670313e55d.pdf", "text": "https://archive.orkl.eu/a3fa228c10383db3494a940e77703a670313e55d.txt", "img": "https://archive.orkl.eu/a3fa228c10383db3494a940e77703a670313e55d.jpg" } }