{ "id": "ad38ca0f-a58a-4a60-b4cd-ee613600ca5b", "created_at": "2026-04-06T01:29:49.458642Z", "updated_at": "2026-04-10T03:36:10.991458Z", "deleted_at": null, "sha1_hash": "be4063ef9cbd578482a470d917240e545ca6ee1e", "title": "Ryuk Ransomware: The Deviance is in the Variance", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 38988, "plain_text": "Ryuk Ransomware: The Deviance is in the Variance\r\nBy Matthew FulmerManager, Cyber Intelligence Engineering\r\nPublished: 2020-11-24 · Archived: 2026-04-06 00:49:43 UTC\r\nWe have heard this story before, so I will skip the backstory about how ransomware is a giant nightmare that\r\nshows absolutely no sign of slowing down, at all. There is plenty of coverage out there pertaining to Ryuk, but\r\nlesser known is that there are different variants of Ryuk and in fact different generations of Ryuk which could\r\npotentially be hitting your environment.\r\nGeneration 1 of Ryuk was, to be polite, less than intelligent. A derivation of Hermes, which at its time had its own\r\nlevel of success, Ryuk was a new variant with an added new mechanism to drop the ransom payload. For this to\r\nsucceed, the hacker groups were highly reliant on using tools they had access to, such as Trickbot, which is still\r\nconsidered a very notorious and highly successful trojan.\r\nA gen1 encryption of Ryuk was rarely found without also finding Trickbot in the environment, which meant that if\r\nyou could shut down Trickbot you would have a very successful chance of not getting hit with Ryuk. Why is this\r\nthe case? Trickbot is how the group gained an initial foothold to launch their reconnaissance of the network. If the\r\ntrojan is blocked at the gates, then there is no ground to attack.\r\nA More Manual Version\r\nWhat makes gen1 of Ryuk different from other ransomware variants is the human element. Once Trickbot is on\r\nthe machine, someone needs to do the reconnaissance work to gain further access into the machine which would\r\ncause the most “impact” to the environment and thus force the hand to “guarantee” a payment.\r\nCommon targets would be critical machines such as fileservers, domain controllers, or hosting machines. Why\r\nwas gen1 so successful, even with the increased ability to share information pertaining to malware/ransomware\r\nand countless sites where you can see live submissions from ample sources? Plain and simple, the ripest targets\r\ntend to be the ones which administrators “exclude” from strict AV policies to minimize the impact on end-users\r\n(read: performance delays, application crashes, etc.) or in some instances have the product outright disabled.\r\nNext-Gen Ryuk\r\nNow we have the next generation of Ryuk, where its creators have gone back to school, gained advanced\r\nknowledge on how to penetrate an environment and iterated. A pattern that admins everywhere do not want to hear\r\nabout. While some things have changed (I will go over those shortly), other things have stayed the same. Basic\r\nentry to the environment still relies primarily on targeted spear-phishing and a “document” which most likely has\r\na VBA macro included, and will execute the dropper/loader the second you enable macros (or, open the document\r\nin the case you have content enabled by default). There is also still a possibility that Trickbot can be part of the\r\nequation (after all, if it’s not broken, don’t fix it)\r\nhttps://www.deepinstinct.com/2020/11/24/ryuk-ransomware-the-deviance-is-in-the-variance/\r\nPage 1 of 2\n\nCommon fare, many campaigns use this method. MAZE (now defunct), Ragnar, Emotet Malware, and more use\r\nthis methodology as their first phase of gaining a foothold. Part of their advanced education has taught them about\r\nsome new tools which can be leveraged, such as CobaltStrike Beacon, something commonly used during red-team\r\npenetration testing exercises because of the flexibility it gives to the one controlling the beacon (C2). Wizard\r\nSpider has started to rely substantially less on customized tools and instituted a new phase of living off the land,\r\nmaking their ability to laterally move once inside an environment exponentially easier.\r\nOnce they have a foothold and the C2 server in place, it’s the same fare as other ransom attacks; leveraging\r\ncommand and Powershell for lateral movements and credential dumping. Unfortunately, there are not many\r\nproducts which are capable of monitoring Powershell scripting, substantially less can analyze Powershell scripts\r\non a contextual level to allow legit scripts through and malicious scripts to be shut down.\r\nThis entails two options; either to outright block Powershell or to allow Powershell. Neither are great options if\r\nyou want the utmost of security and balance for your users (specifically admins) to properly manage the\r\nenvironment or complete tasks. This harkens back to admins doing anything they can to not impact their user base,\r\neven if that means lowering the security posture of the environment.\r\nAn example of what can happen when you take that lowered security stance anywhere in the enterprise are the\r\ndozens of hospitals that have been hit with generation 1 of Ryuk at the height of the Coronavirus pandemic. A\r\nterrible situation which no healthcare provider should ever be caught in the middle of.\r\nThis is where prevention becomes essential. It’s not an option anymore and no one can afford to deprioritize\r\nprevention as secondary to detecting and trying to remediate. In the case of ransomware, organizations can’t afford\r\nany risk at all, in September of 2020 a patient died due to a ransomware attack at a hospital which prevented them\r\nfrom accepting new in-patients.\r\nA colleague of mine made a video about Ryuk which shows prevention in action. In the video, the static engine\r\nbrain version 109 is used to prevent Ryuk. This is important to note as the 109 brain was trained and released in\r\nNovember 2018 – two years prior to infection!\r\nhttps://youtu.be/TOpIJa5Pf90\r\nThe above video helps to outline why a prevention-focused solution is absolutely necessary. The endpoint security\r\nsolution provides intelligent Powershell script analysis that supports admins with the flexibility to do their work\r\nbut simultaneously applies a rigorous prevention method against malicious actions. Deep Instinct really is the\r\ncomplete package.\r\nSource: https://www.deepinstinct.com/2020/11/24/ryuk-ransomware-the-deviance-is-in-the-variance/\r\nhttps://www.deepinstinct.com/2020/11/24/ryuk-ransomware-the-deviance-is-in-the-variance/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.deepinstinct.com/2020/11/24/ryuk-ransomware-the-deviance-is-in-the-variance/" ], "report_names": [ "ryuk-ransomware-the-deviance-is-in-the-variance" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438989, "ts_updated_at": 1775792170, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/be4063ef9cbd578482a470d917240e545ca6ee1e.pdf", "text": "https://archive.orkl.eu/be4063ef9cbd578482a470d917240e545ca6ee1e.txt", "img": "https://archive.orkl.eu/be4063ef9cbd578482a470d917240e545ca6ee1e.jpg" } }