Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Software
  3. Ryuk

Ryuk

Ryuk is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018.Ryuk shares code similarities with Hermes ransomware.[1][2][3]

ID: S0446
Type: MALWARE
Platforms: Windows
Contributors: Matt Brenton, Zurich Insurance Group; The DFIR Report
Version: 1.4
Created: 13 May 2020
Last Modified: 22 April 2025
Enterprise Layer
downloadview
ICS Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1134Access Token Manipulation

Ryuk has attempted to adjust its token privileges to have theSeDebugPrivilege.[1]

EnterpriseT1547.001Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder

Ryuk has used the Windows command line to create a Registry entry underHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence.[1]

EnterpriseT1059.003Command and Scripting Interpreter:Windows Command Shell

Ryuk has usedcmd.exe to create a Registry entry to establish persistence.[1]

EnterpriseT1486Data Encrypted for Impact

Ryuk has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.[1][4]

EnterpriseT1083File and Directory Discovery

Ryuk has enumerated files and folders on all mounted drives.[1]

EnterpriseT1222.001File and Directory Permissions Modification:Windows File and Directory Permissions Modification

Ryuk can launchicacls /grant Everyone:F /T /C /Q to delete every access-based restrictions on files and directories.[5]

EnterpriseT1562.001Impair Defenses:Disable or Modify Tools

Ryuk has stopped services related to anti-virus.[2]

EnterpriseT1490Inhibit System Recovery

Ryuk has usedvssadmin Delete Shadows /all /quiet to to delete volume shadow copies andvssadmin resize shadowstorage to force deletion of shadow copies created by third-party applications.[1]

EnterpriseT1680Local Storage Discovery

Ryuk has calledGetLogicalDrives to emumerate all mounted drives, andGetDriveTypeW to determine the drive type.[1]

EnterpriseT1036Masquerading

Ryuk can create .dll files that actually contain a Rich Text File format document.[5]

.005Match Legitimate Resource Name or Location

Ryuk has constructed legitimate appearing installation folder paths by callingGetWindowsDirectoryW and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear asC:\Users\Public.[1]

EnterpriseT1106Native API

Ryuk has used multiple native APIs includingShellExecuteW to run executables,GetWindowsDirectoryW to create folders, andVirtualAlloc,WriteProcessMemory, andCreateRemoteThread for process injection.[1]

EnterpriseT1027Obfuscated Files or Information

Ryuk can use anti-disassembly and code transformation obfuscation techniques.[4]

EnterpriseT1057Process Discovery

Ryuk has calledCreateToolhelp32Snapshot to enumerate all running processes.[1]

EnterpriseT1055Process Injection

Ryuk has injected itself into remote processes to encrypt files using a combination ofVirtualAlloc,WriteProcessMemory, andCreateRemoteThread.[1]

EnterpriseT1021.002Remote Services:SMB/Windows Admin Shares

Ryuk has used the C$ network share for lateral movement.[6]

EnterpriseT1053.005Scheduled Task/Job:Scheduled Task

Ryuk can remotely create a scheduled task to execute itself on a system.[5]

EnterpriseT1489Service Stop

Ryuk has calledkill.bat for stopping services, disabling services and killing processes.[1]

EnterpriseT1614.001System Location Discovery:System Language Discovery

Ryuk has been observed to query the registry keyHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and the valueInstallLanguage. If the machine has the value 0x419 (Russian), 0x422 (Ukrainian), or 0x423 (Belarusian), it stops execution.[1]

EnterpriseT1016System Network Configuration Discovery

Ryuk has calledGetIpNetTable in attempt to identify all mounted drives and hosts that have Address Resolution Protocol (ARP) entries.[1][6]

EnterpriseT1205Traffic Signaling

Ryuk has used Wake-on-Lan to power on turned off systems for lateral movement.[6]

EnterpriseT1078.002Valid Accounts:Domain Accounts

Ryuk can use stolen domain admin accounts to move laterally within a victim domain.[5]

ICST0828Loss of Productivity and Revenue

An enterprise resource planning (ERP) manufacturing server was lost to theRyuk attack. The manufacturing process had to rely on paper and existing orders to keep the shop floor open.[7]

Groups That Use This Software

References

  1. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  2. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
  3. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  4. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  5. ANSSI. (2021, February 25). RYUK RANSOMWARE. Retrieved March 29, 2021.
  6. Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.
  7. Kelly Jackson Higgins How a Manufacturing Firm Recovered from a Devastating Ransomware Attack Retrieved. 2019/11/03
  8. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
  1. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  2. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  3. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  4. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  5. The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.
  6. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
  7. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  8. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
×
[8]ページ先頭
©2009-2026 Movatter.jp