Ryuk
Ryuk is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. Ryuk shares code similarities with Hermes ransomware.[1][2][3]
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | Access Token Manipulation |
Ryuk has attempted to adjust its token privileges to have the |
|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Ryuk has used the Windows command line to create a Registry entry under |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Ryuk has used |
Enterprise | T1486 | Data Encrypted for Impact |
Ryuk has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.[1] |
|
Enterprise | T1083 | File and Directory Discovery |
Ryuk has called |
|
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools | |
Enterprise | T1490 | Inhibit System Recovery |
Ryuk has used |
|
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Ryuk has constructed legitimate appearing installation folder paths by calling |
Enterprise | T1106 | Native API |
Ryuk has used multiple native APIs including |
|
Enterprise | T1057 | Process Discovery |
Ryuk has called |
|
Enterprise | T1055 | Process Injection |
Ryuk has injected itself into remote processes to encrypt files using a combination of |
|
Enterprise | T1489 | Service Stop |
Ryuk has called |
|
Enterprise | T1016 | System Network Configuration Discovery |
Ryuk has called |
Groups That Use This Software
ID | Name | References |
---|---|---|
G0102 | Wizard Spider | |
G0037 | FIN6 |
References
- Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
- Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
- McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
- Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
- DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
- Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
- The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
- The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
- The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.
- Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.