Deep Dive Into Ryuk Ransomware
By astro
Published: 2020-11-18 · Archived: 2026-04-05 18:57:05 UTC
Hello World, This Will Probably be My First Malware Report Where I will Reverse Ryuk Ransomware. So Before
Getting into Technical Analysis and Reverse Engineering I will Provide Some Introduction to Ryuk. So let’s First
Discuss the CyberKillChain of Ryuk it goes typically like this:
1- An maldoc Contains a malicious macro that will execute PowerShell.
2- The PowerShell Command then Downloads Emotet Banking Trojan.
3- Emotet Then Downloads TrickBot
4- As A Typical Lateral Movement Activity TrickBot Downloads Ryuk
5- Ryuk Then Tries to Encrypt all the Network Hosts
However in new samples it uses BazarLoader and Cobalt Strike and it goes like this. Here I analyzed a sample not
old its from 2020 but that’s because I analyzed this sample before ryuk last attack occurred.
Press enter or click to view image in full size
Who Created It ?
So Attribution is Hard However From What I have Read Threat Intel Researches Suggest that it belongs to the
Authors of HERMES which is a Ransomware first was detected in October 2017 was then arrtributed to an APT
Group Called Lazarus Group.
https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12
Page 1 of 16

In Depth Reversing:
I Used a Combination of Cutter, IDA and x64 dbg to reverse this malware so nvm xD
When Executing the Sample It Drops a Copy From its Self and Execute it using “8 lan” Command.
Press enter or click to view image in full size
By Static Code Analysis it Concats “.exe” to the name of the dropped file and executes it using ShellExecute
passing a param “8 lan” to it. this command is a hardware feauture called WoL (Wakeup On Lan) which allow a
https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12
Page 2 of 16

computer to turned on by a network message. it works on a lan network. the way its executed is by the program
for our case its ryuk sends a message to all the devices on the same lan.
The Name of the Dropped Exe are Seven Random Characters.
The Malware Injects Into 4 Process taskeng.exe, host.exe, dwm.exe, ctfmon.exe
It Encrypts the Files using “RYK” Extension
The Malware Deletes Shadow Copies Using:
[+] cmd /c "WMIC.exe shadowcopy delet
[+] vssadmin.exe Delete Shadows /all /quiet
https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12
Page 3 of 16

Press enter or click to view image in full size
As You Can See a Typo Found in the First Command The Author Missed ‘e’ in delete.
API Resolving:
Ryuk Uses GetProcAddress and LoadLibraryA to Resolve Its APIs
https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12
Page 4 of 16

And By Using the Debugger:
https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12
Page 5 of 16

Due to That I don’t Know Emulation or Scripting + Scylla Didn’t Dump the process correctly I managed to
rename them manually :) here is the result:
https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12
Page 6 of 16

Privilege Escalation:
Ryuk Escalates Privilege by Modifying the Access Token
Press enter or click to view image in full size
https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12
Page 7 of 16

Press enter or click to view image in full size
According to MSDN The LookupPrivilegeValue function retrieves the locally unique identifier (LUID) used on a
specified system to locally represent the specified privilege name. It Takes 3 Parameters lpSystemName, lpName,
lpLuid. What We Care About is the Second Here the Second Param is The Name of The Privilege Looked up In
this Case its “ “SeDebugPrivilege” this is used to inspect and Modify the memory of other process. This Will Be
Used For Process Injection.
Persistence:
https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12
Page 8 of 16

Ryuk Acheives Persistence by Adding the Path of the malware under /Run Key In the Registry Makes it Run
Every Time the User logs In It uses this Command
[+] "C:\Windows\System32\cmd.exe" REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersio
Process Injection:
First It Opens a Process
Press enter or click to view image in full size
Then It Allocates Memory in the Target Process
Next it Writes injects its Self using WriteProcessMemory and Creates a Thread to run the injected code
https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12
Page 9 of 16

Press enter or click to view image in full size
Following with the debugger we can see the exectuable in the memory dump
Encryption:
Ryuk Uses AES-256 Encryption it utilizes the CryptoAPI by Microsoft. It Encrypts the Files using “.RYK”
Extension. The AES Key is Encrypted using a Public RSA Key.
Press enter or click to view image in full size
It uses a Marker “HERMES” to identify if the file is encrypted or not.
Its Uses:
https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12
Page 10 of 16

[+] CryptEncrypt
[+] CryptGenKey
[+] CryptDecrypt
[+] CryptAquireContextW
[+] CryptDestroyKey
[+] CryptDeriveKey
[+] CryptImportKey
Ryuk Uses MultiThreaded Approach to Encrypt the files which means it makes a thread per file which makes it
very fast. It loops Through the Files using FindFirstFileA and FindNextFileA. It Avoid Encrypting Some Files
Here is a List of Them:
https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12
Page 11 of 16

[+] RyukReadMe.html
[+] UNIQUE_ID_DO_NOT_REMOVE
[+] boot
[+] PUBLIC
[+] PRIVATE
[+] \Windows\
[+] sysvol
[+] netlogon
[+] bin
[+] Boot
[+] dev
[+] etc
[+] lib
[+] initrd
[+] sbin
[+] sys
[+] vmlinux
[+] run
[+] var
[+] dll
[+] lnk
[+] hrmlog
[+] ini
[+] exe
https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12
Page 12 of 16

Here it builds Strings on stack for folders to avoid encrypting its files or skipping it
[+] Ahnlab
[+] Chrome
[+] Mozilla
[+] Windows
[+] $Recycle.bin
Relation to HERMES:
https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12
Page 13 of 16

There is two Assumptions One is that that Who Wrote Ryuk was the same who wrote HERMES or just that Ryuk
Author was having HERMES Source code. The Encryption Logic is Same as HERMES. As We Saw Ryuk Uses
AES-256 and Encrypts the KEY using RSA and that is the same in HERMES. Also Checking the Code the Author
Didn’t Change the marker of the encrypted files. This Marker is used to check if the file was encrypted or not.
Also HERMES Uses the Same Batch Script used to delete the shadows copies. Even the files/folders that are
skipped are the same.
Yara Rule:
You Can Find My YARA Rule Here Ryuk
IOCS:
SHA256:40b865d1c3ab1b8544bcf57c88edd30679870d40b27d62feb237a19f0c5f9cd1
SHA1: AD11ED52AB33AD05EB9B1E9ADE134CA1348ACC81
MD5: 484a2bcb1335ac97ee91194f4c0964bc
TTP’s:
https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12
Page 14 of 16

[+] Command-Line Interface T1059
Get astro’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
[+] Execution through API T1106
[+] Service Execution T1035
[+] Registry Run Keys / Startup Folder T1060
[+] Process Injection T1055
[+] Disabling Security Tools T1089
[+] File Permissions Modification T1222
[+] Modify Registry T1112
[+] Process Injection T1055
[+] Query Registry T1012
[+] System Service Discovery T1007
[+] Inhibit System Recovery T1490
[+] Access Token Manipulation T1134
[+] Process Discovery T1057
[+] Service Stop T1489
[+] Impair Defenses: Disable or Modify Tools T1562
[+] Data Encrypted for Impact T1486
List of The Commands Executed:
[+] cmd /c \"WMIC.exe shadowcopy delet\[+] icacls "C:\*" /grant Everyone:F /T /C /Q[+] vssadmin.exe D
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\
 "C:\Users\admin\AppData\Local\Temp\USvoLou.exe" /f[+] /C REG DELETE
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" /v "svchos" /f
RansomNote:
https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12
Page 15 of 16

Press enter or click to view image in full size
Refrences:
https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/
https://www.fortinet.com/blog/threat-research/ryuk-revisited-analysis-of-recent-ryuk-attack
https://research.checkpoint.com/2018/ryuk-ransomware-targeted-campaign-break/
https://blog.malwarebytes.com/threat-analysis/2018/03/hermes-ransomware-distributed-to-south-koreans-via-recent-flash-zero-day/
https://app.any.run/tasks/152b6f3a-d6c9-418a-9d0d-3654e26d3117
GoodBye!
So That’s It Hope You Enjoy It I am a N00b so my mistakes are alot xD so if u have any suggestions for me feel
free to dm on twitter @astrovax
Source: https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12
https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12
Page 16 of 16

   https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12 
Privilege Escalation:   
Ryuk Escalates Privilege by Modifying the Access Token
Press enter or click to view image in full size 
    Page 7 of 16