{ "id": "b1095eaa-1e8d-4504-9d30-55c115e38f1b", "created_at": "2026-04-06T00:09:54.786827Z", "updated_at": "2026-04-10T03:38:20.500118Z", "deleted_at": null, "sha1_hash": "bc11d81bbfcfdf0ef27a55567ebcaed7120bdffc", "title": "Deep Dive Into Ryuk Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3519206, "plain_text": "Deep Dive Into Ryuk Ransomware\r\nBy astro\r\nPublished: 2020-11-18 · Archived: 2026-04-05 18:57:05 UTC\r\nHello World, This Will Probably be My First Malware Report Where I will Reverse Ryuk Ransomware. So Before\r\nGetting into Technical Analysis and Reverse Engineering I will Provide Some Introduction to Ryuk. So let’s First\r\nDiscuss the CyberKillChain of Ryuk it goes typically like this:\r\n1- An maldoc Contains a malicious macro that will execute PowerShell.\r\n2- The PowerShell Command then Downloads Emotet Banking Trojan.\r\n3- Emotet Then Downloads TrickBot\r\n4- As A Typical Lateral Movement Activity TrickBot Downloads Ryuk\r\n5- Ryuk Then Tries to Encrypt all the Network Hosts\r\nHowever in new samples it uses BazarLoader and Cobalt Strike and it goes like this. Here I analyzed a sample not\r\nold its from 2020 but that’s because I analyzed this sample before ryuk last attack occurred.\r\nPress enter or click to view image in full size\r\nWho Created It ?\r\nSo Attribution is Hard However From What I have Read Threat Intel Researches Suggest that it belongs to the\r\nAuthors of HERMES which is a Ransomware first was detected in October 2017 was then arrtributed to an APT\r\nGroup Called Lazarus Group.\r\nhttps://medium.com/ax1al/reversing-ryuk-eef8ffd55f12\r\nPage 1 of 16\n\nIn Depth Reversing:\r\nI Used a Combination of Cutter, IDA and x64 dbg to reverse this malware so nvm xD\r\nWhen Executing the Sample It Drops a Copy From its Self and Execute it using “8 lan” Command.\r\nPress enter or click to view image in full size\r\nBy Static Code Analysis it Concats “.exe” to the name of the dropped file and executes it using ShellExecute\r\npassing a param “8 lan” to it. this command is a hardware feauture called WoL (Wakeup On Lan) which allow a\r\nhttps://medium.com/ax1al/reversing-ryuk-eef8ffd55f12\r\nPage 2 of 16\n\ncomputer to turned on by a network message. it works on a lan network. the way its executed is by the program\r\nfor our case its ryuk sends a message to all the devices on the same lan.\r\nThe Name of the Dropped Exe are Seven Random Characters.\r\nThe Malware Injects Into 4 Process taskeng.exe, host.exe, dwm.exe, ctfmon.exe\r\nIt Encrypts the Files using “RYK” Extension\r\nThe Malware Deletes Shadow Copies Using:\r\n[+] cmd /c \"WMIC.exe shadowcopy delet\r\n[+] vssadmin.exe Delete Shadows /all /quiet\r\nhttps://medium.com/ax1al/reversing-ryuk-eef8ffd55f12\r\nPage 3 of 16\n\nPress enter or click to view image in full size\r\nAs You Can See a Typo Found in the First Command The Author Missed ‘e’ in delete.\r\nAPI Resolving:\r\nRyuk Uses GetProcAddress and LoadLibraryA to Resolve Its APIs\r\nhttps://medium.com/ax1al/reversing-ryuk-eef8ffd55f12\r\nPage 4 of 16\n\nAnd By Using the Debugger:\r\nhttps://medium.com/ax1al/reversing-ryuk-eef8ffd55f12\r\nPage 5 of 16\n\nDue to That I don’t Know Emulation or Scripting + Scylla Didn’t Dump the process correctly I managed to\r\nrename them manually :) here is the result:\r\nhttps://medium.com/ax1al/reversing-ryuk-eef8ffd55f12\r\nPage 6 of 16\n\nPrivilege Escalation:\r\nRyuk Escalates Privilege by Modifying the Access Token\r\nPress enter or click to view image in full size\r\nhttps://medium.com/ax1al/reversing-ryuk-eef8ffd55f12\r\nPage 7 of 16\n\nPress enter or click to view image in full size\r\nAccording to MSDN The LookupPrivilegeValue function retrieves the locally unique identifier (LUID) used on a\r\nspecified system to locally represent the specified privilege name. It Takes 3 Parameters lpSystemName, lpName,\r\nlpLuid. What We Care About is the Second Here the Second Param is The Name of The Privilege Looked up In\r\nthis Case its “ “SeDebugPrivilege” this is used to inspect and Modify the memory of other process. This Will Be\r\nUsed For Process Injection.\r\nPersistence:\r\nhttps://medium.com/ax1al/reversing-ryuk-eef8ffd55f12\r\nPage 8 of 16\n\nRyuk Acheives Persistence by Adding the Path of the malware under /Run Key In the Registry Makes it Run\r\nEvery Time the User logs In It uses this Command\r\n[+] \"C:\\Windows\\System32\\cmd.exe\" REG ADD \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersio\r\nProcess Injection:\r\nFirst It Opens a Process\r\nPress enter or click to view image in full size\r\nThen It Allocates Memory in the Target Process\r\nNext it Writes injects its Self using WriteProcessMemory and Creates a Thread to run the injected code\r\nhttps://medium.com/ax1al/reversing-ryuk-eef8ffd55f12\r\nPage 9 of 16\n\nPress enter or click to view image in full size\r\nFollowing with the debugger we can see the exectuable in the memory dump\r\nEncryption:\r\nRyuk Uses AES-256 Encryption it utilizes the CryptoAPI by Microsoft. It Encrypts the Files using “.RYK”\r\nExtension. The AES Key is Encrypted using a Public RSA Key.\r\nPress enter or click to view image in full size\r\nIt uses a Marker “HERMES” to identify if the file is encrypted or not.\r\nIts Uses:\r\nhttps://medium.com/ax1al/reversing-ryuk-eef8ffd55f12\r\nPage 10 of 16\n\n[+] CryptEncrypt\r\n[+] CryptGenKey\r\n[+] CryptDecrypt\r\n[+] CryptAquireContextW\r\n[+] CryptDestroyKey\r\n[+] CryptDeriveKey\r\n[+] CryptImportKey\r\nRyuk Uses MultiThreaded Approach to Encrypt the files which means it makes a thread per file which makes it\r\nvery fast. It loops Through the Files using FindFirstFileA and FindNextFileA. It Avoid Encrypting Some Files\r\nHere is a List of Them:\r\nhttps://medium.com/ax1al/reversing-ryuk-eef8ffd55f12\r\nPage 11 of 16\n\n[+] RyukReadMe.html\r\n[+] UNIQUE_ID_DO_NOT_REMOVE\r\n[+] boot\r\n[+] PUBLIC\r\n[+] PRIVATE\r\n[+] \\Windows\\\r\n[+] sysvol\r\n[+] netlogon\r\n[+] bin\r\n[+] Boot\r\n[+] dev\r\n[+] etc\r\n[+] lib\r\n[+] initrd\r\n[+] sbin\r\n[+] sys\r\n[+] vmlinux\r\n[+] run\r\n[+] var\r\n[+] dll\r\n[+] lnk\r\n[+] hrmlog\r\n[+] ini\r\n[+] exe\r\nhttps://medium.com/ax1al/reversing-ryuk-eef8ffd55f12\r\nPage 12 of 16\n\nHere it builds Strings on stack for folders to avoid encrypting its files or skipping it\r\n[+] Ahnlab\r\n[+] Chrome\r\n[+] Mozilla\r\n[+] Windows\r\n[+] $Recycle.bin\r\nRelation to HERMES:\r\nhttps://medium.com/ax1al/reversing-ryuk-eef8ffd55f12\r\nPage 13 of 16\n\nThere is two Assumptions One is that that Who Wrote Ryuk was the same who wrote HERMES or just that Ryuk\r\nAuthor was having HERMES Source code. The Encryption Logic is Same as HERMES. As We Saw Ryuk Uses\r\nAES-256 and Encrypts the KEY using RSA and that is the same in HERMES. Also Checking the Code the Author\r\nDidn’t Change the marker of the encrypted files. This Marker is used to check if the file was encrypted or not.\r\nAlso HERMES Uses the Same Batch Script used to delete the shadows copies. Even the files/folders that are\r\nskipped are the same.\r\nYara Rule:\r\nYou Can Find My YARA Rule Here Ryuk\r\nIOCS:\r\nSHA256:40b865d1c3ab1b8544bcf57c88edd30679870d40b27d62feb237a19f0c5f9cd1\r\nSHA1: AD11ED52AB33AD05EB9B1E9ADE134CA1348ACC81\r\nMD5: 484a2bcb1335ac97ee91194f4c0964bc\r\nTTP’s:\r\nhttps://medium.com/ax1al/reversing-ryuk-eef8ffd55f12\r\nPage 14 of 16\n\n[+] Command-Line Interface T1059\r\nGet astro’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n[+] Execution through API T1106\r\n[+] Service Execution T1035\r\n[+] Registry Run Keys / Startup Folder T1060\r\n[+] Process Injection T1055\r\n[+] Disabling Security Tools T1089\r\n[+] File Permissions Modification T1222\r\n[+] Modify Registry T1112\r\n[+] Process Injection T1055\r\n[+] Query Registry T1012\r\n[+] System Service Discovery T1007\r\n[+] Inhibit System Recovery T1490\r\n[+] Access Token Manipulation T1134\r\n[+] Process Discovery T1057\r\n[+] Service Stop T1489\r\n[+] Impair Defenses: Disable or Modify Tools T1562\r\n[+] Data Encrypted for Impact T1486\r\nList of The Commands Executed:\r\n[+] cmd /c \\\"WMIC.exe shadowcopy delet\\[+] icacls \"C:\\*\" /grant Everyone:F /T /C /Q[+] vssadmin.exe D\r\n\"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"svchos\" /t REG_SZ /d \"C:\\Users\\\r\n \"C:\\Users\\admin\\AppData\\Local\\Temp\\USvoLou.exe\" /f[+] /C REG DELETE\r\n\"HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\" /v \"svchos\" /f\r\nRansomNote:\r\nhttps://medium.com/ax1al/reversing-ryuk-eef8ffd55f12\r\nPage 15 of 16\n\nPress enter or click to view image in full size\r\nRefrences:\r\nhttps://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/\r\nhttps://www.fortinet.com/blog/threat-research/ryuk-revisited-analysis-of-recent-ryuk-attack\r\nhttps://research.checkpoint.com/2018/ryuk-ransomware-targeted-campaign-break/\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/\r\nhttps://app.any.run/tasks/152b6f3a-d6c9-418a-9d0d-3654e26d3117\r\nGoodBye!\r\nSo That’s It Hope You Enjoy It I am a N00b so my mistakes are alot xD so if u have any suggestions for me feel\r\nfree to dm on twitter @astrovax\r\nSource: https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12\r\nhttps://medium.com/ax1al/reversing-ryuk-eef8ffd55f12\r\nPage 16 of 16\n\n https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12 \nPrivilege Escalation: \nRyuk Escalates Privilege by Modifying the Access Token\nPress enter or click to view image in full size \n Page 7 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12" ], "report_names": [ "reversing-ryuk-eef8ffd55f12" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434194, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bc11d81bbfcfdf0ef27a55567ebcaed7120bdffc.pdf", "text": "https://archive.orkl.eu/bc11d81bbfcfdf0ef27a55567ebcaed7120bdffc.txt", "img": "https://archive.orkl.eu/bc11d81bbfcfdf0ef27a55567ebcaed7120bdffc.jpg" } }