{ "id": "0077fcf0-5766-4855-8c9f-4441356cc9f0", "created_at": "2026-04-06T00:13:42.07191Z", "updated_at": "2026-04-10T03:38:20.657877Z", "deleted_at": null, "sha1_hash": "f28d7b3a2e0ceb29cf660a926366383da07cd1eb", "title": "Ryuk explained: Targeted, devastatingly effective ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 64547, "plain_text": "Ryuk explained: Targeted, devastatingly effective ransomware\r\nBy by Lucian Constantin CSO Senior Writer\r\nPublished: 2021-03-19 · Archived: 2026-04-05 18:48:56 UTC\r\nRyuk ransomware attacks are targeted to the most vulnerable, most likely to pay\r\ncompanies and are often paired with other malware such as TrickBot.\r\nWhat is Ryuk?\r\nRyuk is a sophisticated ransomware threat that has been targeting businesses, hospitals, government institutions\r\nand other organizations since 2018. The group behind the malware is known for using manual hacking techniques\r\nand open-source tools to move laterally through private networks and gain administrative access to as many\r\nsystems as possible before initiating the file encryption.\r\nRyuk’s history and success\r\nRyuk first appeared in August 2018 but is based on an older ransomware program called Hermes that was sold on\r\nunderground cybercrime forums in 2017. Hermes was used by the North Korean state-sponsored Lazarus Group in\r\nan attack against the Taiwanese Far Eastern International Bank (FEIB) in October 2017, which led to reports that\r\nHermes, and later Ryuk, were created by North Korean hackers.\r\nSeveral security companies later disproved those claims and Ryuk is now generally believed to be the creation of a\r\nRussian-speaking cybercriminal group that obtained access to Hermes, just like Lazarus likely did. The Ryuk gang\r\nis tracked by some security companies as Wizard Spider or Grim Spider and is the same group that operates\r\nTrickBot, a much older and active credential theft Trojan program that has a relationship with Ryuk. Other\r\nresearchers believe that Ryuk could be the creation of the original Hermes author or authors operating under the\r\nhandle CryptoTech, who simply stopped selling their ransomware publicly after developing an improved version.\r\nThe Ryuk attackers demand higher ransom payments from their victims compared to many other ransomware\r\ngangs. The ransom amounts associated with Ryuk typically range between 15 and 50 Bitcoins, or roughly between\r\n$100,000 and $500,000, although higher payments have reportedly been paid. Because the attackers go after\r\norganizations with critical assets that are more likely to pay, a technique the security industry calls “big game\r\nhunting,” the Ryuk gang is very successful at monetizing their campaigns.\r\nIn a presentation at the RSA Conference 2020, Joel DeCapua, a supervisory special agent with the FBI’s Global\r\nOperations and Targeting Unit, revealed that organizations paid $144.35 million in bitcoin to ransomware groups\r\nbetween 2013 and 2019. The data doesn’t include ransom payments in cryptocurrencies other than BTC. Of those\r\npayments, $61.26 million were sent to the Ryuk gang and the sum is almost three times larger than what\r\nCrysis/Dharma, the second most successful ransomware gang on DeCapua’s list, managed to extract from victims\r\nin three years of operation.\r\nhttps://www.csoonline.com/article/3541810/ryuk-ransomware-explained-a-targeted-devastatingly-effective-attack.html\r\nPage 1 of 4\n\nRyuk distribution and attack chain\r\nRyuk is almost exclusively distributed through TrickBot or follows an infection with the Trojan. However, not all\r\nTrickBot infections lead to Ryuk. When they do, the deployment of Ryuk happens weeks after TrickBot first\r\nshows up on a network. This is likely because attackers use the data collected by TrickBot to identify potentially\r\nvaluable networks for Ryuk.\r\nThe target selection is followed by manual hacking activities that involve network reconnaissance and lateral\r\nmovement with the goal of compromising domain controllers and gaining access to as many systems as possible.\r\nThis ensures that when Ryuk is deployed, the damage is swift and widespread across the network, which is more\r\nlikely to force an organization’s hand than holding just a few of its endpoints hostage.\r\nMicrosoft refers to Ryuk as a human-operated ransomware attack, and it’s part of a larger trend of ransomware\r\ngangs adopting highly targeted and stealthy techniques that were primarily associated with advanced persistent\r\nthreat (APT) groups in the past. This includes relying on open-source tools and existing system administration\r\nutilities to evade detection, a technique known as living off the land.\r\nFollowing a TrickBot infection and the identification of an interesting target, the Ryuk gang deploys post-exploitation frameworks such as Cobalt Strike or PowerShell Empire that allow them to perform malicious actions\r\non computers without triggering security alerts. PowerShell is a scripting language meant for system\r\nadministration that leverages the Windows Management Instrumentation (WMI) API and is enabled by default on\r\nWindows computers. Its powerful features and widespread availability on computers have made it a popular\r\nchoice for hackers to abuse.\r\nThe Ryuk attackers also use the open-source LaZagne tool to steal credentials stored on compromised computers\r\nand BloodHound, a tool that allows penetration testers to analyze and reveal potentially exploitable relationships\r\nthat exist in Active Directory environments. The end goal of the Ryuk attackers is to identify domain controllers\r\nand gain administrative access to them, which then gives them power over the entire network.\r\n“In our investigations, we found that [Ryuk] activation occurs on TrickBot implants of varying ages, indicating\r\nthat the human operators behind Ryuk likely have some sort of list of check-ins and targets for deployment of the\r\nransomware,” Microsoft researchers said in an analysis of human-operated ransomware attacks. “In many cases,\r\nhowever, this activation phase comes well after the initial TrickBot infection, and the eventual deployment of a\r\nransomware payload may happen weeks or even months after the initial infection.”\r\nTrickBot itself remains one of the most prevalent Trojans and is distributed through malicious spam emails but is\r\nalso delivered by another widespread Trojan program called Emotet. While the relationships between Ryuk,\r\nTrickBot and Emotet are not completely clear, over the years Emotet evolved into a malware distribution platform\r\nthat’s used by many cybercriminal groups. TrickBot is believed to follow a similar malware-as-a-service (MaaS)\r\nmodel, but is only available to a relatively small number of top-tier cybercriminals, according to a recent report by\r\ncybercrime intelligence firm Intel 471.\r\nThe US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert about an increase in targeted\r\nEmotet malware attacks. The agency has maintained an advisory about Emotet since 2018, including a set of\r\nrecommendations for protecting against the threat.\r\nhttps://www.csoonline.com/article/3541810/ryuk-ransomware-explained-a-targeted-devastatingly-effective-attack.html\r\nPage 2 of 4\n\nThe group behind Ryuk used to deploy the final ransomware payload manually, but according to a report from\r\nCERT-FR, a more recent Ryuk variant contains code that allows it to spread to other computers on the local\r\nnetwork automatically once the attackers obtain a privileged account on the domain.\r\nThe program first generates a list with every possible IP address on the local network and then sends an ICMP\r\nping to them to discover which are reachable. It then lists the file sharing resources available on the online\r\nmachines, mounts those resources and encrypts their contents. At the same time, it copies itself to those file shares\r\nand uses the privileged domain account credentials to set up a scheduled task on the remote computers to execute\r\nthe copied version of itself.\r\nThe code doesn’t check if a computer has already been infected, so the malware keeps reinfecting systems. This\r\ncannot be stopped if the password for the compromised domain account is changed or if the account is disabled, as\r\nlong as Kerberos tickets remain active. To stop the propagation, the password for the KRBTGT user account needs\r\nto be changed twice to force a password history clean. This action might create some disturbances on the domain\r\nthat require systems to be rebooted, but would also stop the ransomware propagation, CERT-FR said in its report.\r\nThe Ryuk encryption routine\r\nRyuk has diverged over time from the original Hermes code base. Some features such as the anti-forensics or\r\npersistence mechanisms have been reimplemented, simplified or removed. After all, a ransomware program that’s\r\nmanually deployed inside an environment where attackers already have administrative control over systems does\r\nnot need the same self-protection features as ransomware programs that rely on automated propagation. Ryuk is\r\nalso not as selective in the files it encrypts as other ransomware.\r\nOnce deployed, Ryuk encrypts all files except for those with the extensions dll, lnk, hrmlog, ini and exe. It also\r\nskips files stored in the Windows System32, Chrome, Mozilla, Internet Explorer and Recycle Bin directories.\r\nThese exclusion rules are likely meant to preserve system stability and allow the victim to use a browser to make\r\npayments.\r\nRyuk uses strong file encryption based on AES-256. The encryption keys are stored at the end of the encrypted\r\nfiles, which have their extension changed to .ryk. The AES keys are encrypted with a RSA-4096 public private\r\nkey pair that is controlled by the attackers. The whole process is a bit more complex and involves several keys\r\nbeing encrypted with other keys, but the result is that each Ryuk executable is tailor-made for each specific victim\r\n— even if used on multiple systems — and uses a private key generated by the attackers for that specific victim.\r\nThis means that even if the private RSA key associated with one victim is published, it can’t be used to decrypt\r\nfiles belonging to other victims.\r\nNo publicly available tool can decrypt Ryuk files without paying the ransom, and researchers warn that even the\r\ndecryptor provided by the Ryuk attackers to paying victims can sometimes corrupt files. That usually happens on\r\nlarger files where Ryuk intentionally performs only a partial encryption to save time. Furthermore, despite the\r\nwhitelisting of certain system files and directories, Ryuk can still encrypt files that are critical for the system’s\r\nnormal operation, which sometimes results in unbootable systems after they are restarted. All these issues can\r\ncomplicate the recovery efforts and increase the cost incurred by victims as a result of Ryuk attacks.\r\nhttps://www.csoonline.com/article/3541810/ryuk-ransomware-explained-a-targeted-devastatingly-effective-attack.html\r\nPage 3 of 4\n\nLike most ransomware programs, Ryuk attempts to delete volume shadow copies to prevent data recovery through\r\nalternative means. It also contains a kill.bat script that disables various services including network backups and\r\nWindows Defender antivirus.\r\nProtecting against Ryuk\r\nWhile organizations can put in place specific technical controls to reduce the likelihood of Ryuk infections,\r\ndefending against human-operated ransomware attacks in general requires correcting some bad practices among\r\nIT administrators.\r\n“Some of the most successful human-operated ransomware campaigns have been against servers that have\r\nantivirus software and other security intentionally disabled, which admins may do to improve performance,”\r\nMicrosoft said. “Many of the observed attacks leverage malware and tools that are already detected by antivirus.\r\nThe same servers also often lack firewall protection and MFA, have weak domain credentials, and use non-randomized local admin passwords. Oftentimes these protections are not deployed because there is a fear that\r\nsecurity controls will disrupt operations or impact performance. IT pros can help with determining the true impact\r\nof these settings and collaborate with security teams on mitigations. Attackers are preying on settings and\r\nconfigurations that many IT admins manage and control. Given the key role they play, IT pros should be part of\r\nsecurity teams.”\r\nSecurity teams should also take what are seemingly rare and isolated infections with commodity malware much\r\nmore seriously. As Ryuk demonstrates, common threats like Emotet and TrickBot rarely come alone and can be a\r\nsign of much deeper problems. Simply removing common malware from a system without performing further\r\ninvestigations can have disastrous consequences a few weeks later.\r\n“Commodity malware infections like Emotet, Dridex and Trickbot should be remediated and treated as a potential\r\nfull compromise of the system, including any credentials present on it,” Microsoft warned.\r\nAddressing the infrastructure weaknesses that allowed the malware to get in and propagate in the first place is also\r\ncritically important, as well as hardening the network against lateral movement by practicing good credential\r\nhygiene and enforcing least-privilege access. Restricting unnecessary SMB traffic between endpoints and limiting\r\nthe use of administrative credentials can also have a big impact on making the network more resilient against\r\nhuman-operated attack campaigns. The Microsoft advisory contains additional technical recommendations.\r\nEditor’s note: This article, originally published in May 2020, has been updated to include information on a new\r\nRyuk variant discovered by CERT-FR.\r\nSource: https://www.csoonline.com/article/3541810/ryuk-ransomware-explained-a-targeted-devastatingly-effective-attack.html\r\nhttps://www.csoonline.com/article/3541810/ryuk-ransomware-explained-a-targeted-devastatingly-effective-attack.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.csoonline.com/article/3541810/ryuk-ransomware-explained-a-targeted-devastatingly-effective-attack.html" ], "report_names": [ "ryuk-ransomware-explained-a-targeted-devastatingly-effective-attack.html" ], "threat_actors": [ { "id": "12211366-1f14-4eed-9d91-46b6a2ede618", "created_at": "2025-08-07T02:03:25.014713Z", "updated_at": "2026-04-10T02:00:03.624097Z", "deleted_at": null, "main_name": "GOLD ULRICK", "aliases": [ "Grim Spider ", "UNC1878 " ], "source_name": "Secureworks:GOLD ULRICK", "tools": [ "Bloodhound", "Buer Loader", "Cobalt Strike", "Conti", "Diavol", "PowerShell Empire", "Ryuk", "SystemBC", "Team9 (aka BazarLoader)", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "8492b1a0-126f-4113-b8f7-101d28559629", "created_at": "2023-01-06T13:46:38.864213Z", "updated_at": "2026-04-10T02:00:03.126178Z", "deleted_at": null, "main_name": "GRIM SPIDER", "aliases": [ "GOLD ULRICK" ], "source_name": "MISPGALAXY:GRIM SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434422, "ts_updated_at": 1775792300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f28d7b3a2e0ceb29cf660a926366383da07cd1eb.pdf", "text": "https://archive.orkl.eu/f28d7b3a2e0ceb29cf660a926366383da07cd1eb.txt", "img": "https://archive.orkl.eu/f28d7b3a2e0ceb29cf660a926366383da07cd1eb.jpg" } }