{ "id": "d8fd63e0-43f8-48fa-a4d2-ff5393faf646", "created_at": "2026-04-06T00:21:04.798713Z", "updated_at": "2026-04-10T03:36:11.120529Z", "deleted_at": null, "sha1_hash": "afdd2e0c5d9ada220ebdebc1c0eb15d2b5db44ee", "title": "Nice to meet you, too. My name is Ryuk.", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 240216, "plain_text": "Nice to meet you, too. My name is Ryuk.\r\nBy Axel Zengers\r\nPublished: 2021-02-26 · Archived: 2026-04-05 18:28:01 UTC\r\nThis work is a comprehensive analysis of the ransomware Ryuk. It will be break down into three parts :\r\nWhat are the Ryuk operator interested in ?\r\nWhat tactics and tools do they typically use ?\r\nHow can defenders detect those tools or tactics ?\r\nFrom Netflix to your enterprisePermalink\r\nRyuk is a Ransomware, responsible for a third of all ransomware attacks in 2020. Ryuk is specifically used to\r\ntarget enterprise environments, and specially in the recent times Big Game Hunting – going after bigger, more\r\nsecure targets in tailored operations and potentially extract larger ransoms –. Like almost all ransomwares, Ryuk\r\ngoal is to generate as much money as possible, in the shortest amount of time. They often succeed according to the\r\nreports, because the average ransom seems to be near $1Millions, and the highest was $34Millions in 2018.\r\nFor this, Ryuk will targets huge corporations and specially Windows assets (which represents the most part of their\r\ninfrastructure). Clients and servers will (sadly) go the same way, disregarding of their version.\r\nAt the time of writing, there is no way to decrypt Ryuk Encryption. That’s because it’s the AES/RSA combo and\r\nrestoring data without the keys is impossible (unless there is a failure in the implementation).\r\nRyuk is under constant development, new modules and functionalities are added over time.\r\nHow does it operates ?Permalink\r\nRyuk is most of the time delivered by TrickBot and more recently Bazar. (**), so with a phishing mail (T1566).\r\nThis two malwares are attributed to the same group\r\nHowever, it was also seen to exploit accessible Remote Desktop Services on targets (T1021.001).\r\nRyuk can also exploit vulnerabilities like ZeroLogon or EternalBlue to propagate itself into the networks (T1210).\r\nThere is actually some works done before Ryuk is run on the victim’s infrastructure. There is an Active Directory\r\nreconnaissance (T1018) done using tools like :\r\nMimikatz\r\nPowerShell PowerSploit\r\nAdFind\r\nBloodhound\r\nhttps://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/\r\nPage 1 of 11\n\nPsExec\r\nInvestigating the Active Directory is also a behavior seen for TrickBot.\r\nThe goal here for Ryuk is to have enough knowledge and privileges to impact as much hosts and shares as\r\npossible, as well as estimating the victims infrastructure : A big Active Directory most of the time involves a big\r\nentreprise.\r\nThere is also instances where Cobalt Strike was used, as it sometimes comes with Bazar.\r\nOnce the Active Directory has delivered all of its secrets, Ryuk is executed.\r\nAbout the delivery : Even when Emotet is involved, it actually delivers Trickbot which itself delivers Ryuk. This\r\nreinforce the accountancy between this two and the attribution to the same group : Wizard Spider\r\nMalware AnalysisPermalink\r\nI was able to find a Ryuk Sample (5e1e2920736e1c00104e24ee). I will describe points that seems interesting to\r\nhave in mind when dealing with Ryuk, as well as how they can be detected/mitigated.\r\nAbout Hermes : Ryuk is most likely built on the Hermes ransomware, which had it source code shared on various\r\nunderground forums. That’s why you’ll see strings that relates to Hermes.\r\nDropping itselfPermalink\r\nUpon launching, it copies itself in the current directory with a random 7 characters length and then launch the new\r\nfile with the parameters “8 Lan” (Wake On Lan)\r\nhttps://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/\r\nPage 2 of 11\n\nAnti everythingPermalink\r\nIt then creates a thread that loop thought all running processes and services and kill those who might disturb it :\r\nlike excel, backup services, virtual machine and such. The full list is in the Appendix. The goal is to make sure not\r\nfile are opened in memory (T1489), as well as performing AntiVM action (T1562.001).\r\nnet stop is used for services :\r\ntaskkill is used for processes :\r\nDetection opportunity : It’s highly suspicious that a process kills a high number of processes and/or services.\r\nMaybe some legit apps do it, but this behavior can be a sign of a malware trying to setup its playground.\r\nIt will also performs anti forensics/recovery by executing various commands (T1059.003 and T1490) :\r\nNote the typo for the first command, there is a missing ‘e’ on ‘delete’\r\nDetection opportunity : This kind of commands are HIGHLY suspicious, and there should be a rule on the SIEM\r\nor EDR that monitor their usages. Also, having a lot of this commands executed in the same interval can be\r\ndetermined in a rule\r\nPrivilege EscalationPermalink\r\nRyuk will check for two privileges :\r\nhttps://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/\r\nPage 3 of 11\n\nSEBackupPrivilege : In order to access to any file and bypass ACL\r\nSEDebugPrivilege : In order to execute the process injection\r\nIn order to do so, Ryuk will open it current thread and retrieve the Thread Token.\r\nIt will then enable the wanted privilege with the function AdjustTokenPrivileges (T1134)\r\nhttps://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/\r\nPage 4 of 11\n\nThe privileges will be used on the next steps\r\nProcess InjectionPermalink\r\nRyuk injects itself into multiples processes, in order to be very fast.\r\nIt enumerates running process (T1057)checks if the process is one of csrss.exe , explorer.exe , lsaas.exe\r\nor is run under NT Admin and then injects into it, using WriteProcessMemory and CreateRemoteThread\r\n(T1055).\r\nDetection opportunity : It’s pretty uncommon for a process to inject itself into another, or even writing to its\r\nmemory. This kind of behavior can be detected by an EDR, or by Windows Sysmon Event ID 8, for example.\r\nEncryptionPermalink\r\nThe encryption (T1486) is done with the CryptEncrypt Windows API with AES_256.\r\nhttps://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/\r\nPage 5 of 11\n\nAll encrypted files have the string “HERMES” at their end. It is used as a marker to know whether the file has\r\nalready been encrypted. The file itself is encrypted, so there is no deletion involves and so recovery is unlikely. A\r\nfile named RyukReadMe.html is dropped on every encrypted directory.\r\nThere is a bunch of directory that are whitelisted by the malware :\r\nhttps://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/\r\nPage 6 of 11\n\nAs well as :\r\nChrome\r\nMozilla\r\nRecycle.bin\r\nWindows\r\nMicrosoft\r\nAhnLab\r\nAll encrypted files are appended the .RYK file extension.\r\nAny mounted drives (T1547.001)will suffer the same fate, first by having rights :\r\nAnd then the encryption :\r\nhttps://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/\r\nPage 7 of 11\n\nRyuk will also scan the ARP table in order to find any files or folders in remote hosts. (T1016)\r\nPersistencePermalink\r\nCreate a registry key named ‘svchos’ on the famous\r\nHKEY\\_CURRENT\\_USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run registry (T1547.001)with the full\r\npath of the executable using cmd.exe (T1059.003)\r\nDetection opportunity : This registry is a well known location for persistence. A rule can be easily setup to\r\nmonitor any suspicious addition.\r\nhttps://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/\r\nPage 8 of 11\n\nWhat’s next ?Permalink\r\nWizard Spider seems to have built an ecosystem of malware, and still continues to develop it, with the addition to\r\nConti, a new ransomware. Some reports seems to indicate that Conti is a new version of Ryuk. Maybe that’s a\r\nquestion I will tackle during another analysis. For now, Ryuk is still going, and should be kept in mind.\r\nAppendixPermalink\r\nBlacklisted ProcessPermalink\r\n- virtual\r\n- vmcomp\r\n- vmwp\r\n- veeam\r\n- backup\r\n- Backup\r\n- xchange\r\n- sql\r\n- dbeng\r\n- sofos\r\n- calc\r\n- ekrn\r\n- zoolz\r\n- encsvc\r\n- excel\r\n- firefoxconfig\r\n- infopath\r\n- msaccess\r\n- mspub\r\n- mydesktop\r\n- ocautoupds\r\n- ocomm\r\n- ocssd\r\n- onenote\r\n- oracle\r\n- outlook\r\n- powerpnt\r\n- sqbcoreservice\r\n- steam\r\n- synctime\r\n- tbirdconfig\r\n- thebat\r\n- thunderbird\r\n- visio\r\n- word\r\n- xfssvccon\r\nhttps://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/\r\nPage 9 of 11\n\n- tmlisten\r\n- PccNTMon\r\n- CNTAoSMgr\r\n- Ntrtscan\r\n- mbamtray\r\nBlacklisted ServicesPermalink\r\n- vmcomp\r\n- vmwp\r\n- veeam\r\n- Back\r\n- xchange\r\n- ackup\r\n- acronis\r\n- sql\r\n- Enterprise\r\n- Sophos\r\n- Veeam\r\n- AcrSch\r\n- Antivirus\r\n- Antivirus\r\n- bedbg\r\n- DCAgent\r\n- EPSecurity\r\n- EPUpdate\r\n- Eraser\r\n- EsgShKernel\r\n- FA_Scheduler\r\n- IISAdmin\r\n- IMAP4\r\n- MBAM\r\n- Endpoint\r\n- McShield\r\n- task\r\n- mfemms\r\n- mfevtp\r\n- mms\r\n- MsDts\r\n- Exchange\r\n- ntrt\r\n- PDVF\r\n- POP3\r\n- Report\r\n- RESvc\r\n- sacsvr\r\nhttps://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/\r\nPage 10 of 11\n\n- SAVAdmin\r\n- SamS\r\n- SDRSVC\r\n- SepMaster\r\n- Monitor\r\n- Smcinst\r\n- SmcService\r\n- SMTP\r\n- SNAC\r\n- swi\r\n- CCSF\r\n- TrueKey\r\n- tmlisten\r\n- UI0Detect\r\n- W3S\r\n- WRSVC\r\n- NetMsmq\r\n- ekrn\r\n- EhttpSrv\r\n- ESHASRV\r\n- AVP\r\n- klnagent\r\n- wbengine\r\n- KAVF\r\n- mfefire\r\nSource: https://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/\r\nhttps://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/" ], "report_names": [ "NiceToMeetYouRyuk" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434864, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/afdd2e0c5d9ada220ebdebc1c0eb15d2b5db44ee.pdf", "text": "https://archive.orkl.eu/afdd2e0c5d9ada220ebdebc1c0eb15d2b5db44ee.txt", "img": "https://archive.orkl.eu/afdd2e0c5d9ada220ebdebc1c0eb15d2b5db44ee.jpg" } }