- First seen: August 2018
- Aliases: Pay or Grief
- Samples:
- 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a | windows | ransom | pe
- 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2 | windows | ransom | pe
- f8bc1638ec3b04412f708233e8586e1d91f18f6715d68cba1a491d4a7f457da0 | windows | ransom | pe
| Property | Value |
|---|---|
| Size | 147968 bytes |
| CRC32 | 0xf9137b0d |
| MD5 | 89895cf4c88f13e5797aab63dddf1078 |
| SHA1 | 1efc175983a17bd6c562fe7b054045d6dcb341e5 |
| SHA256 | 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a |
| SHA512 | d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2 |
| Ssdeep | 3072:eOFqYZEtiRjB+OpBmUHkRCBMmn3T/znyS4:eO8xwjBx8UHkt2DJ4 |
| Magic | PE32 executable (GUI) Intel 80386, for MS Windows |
| Packer | PE: compiler: Microsoft Visual C/C++(2015 v.14.0)[-] PE: linker: Microsoft Linker(14.0, Visual Studio 2015 14.0*)[EXE32] |
| TrID | 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1) |
- Avast: Win32:Ryuk-A [Trj]
+ Avira: clean
- Bitdefender: Gen:Variant.Midie.93846
- Clamav: Win.Ransomware.Ryuk-9852766-0
+ Comodo: clean
- Drweb: Trojan.Encoder.30550
- Eset: Win32/Filecoder.Ryuk.L
- Fsecure: Heuristic.HEUR/AGEN.1213034
- Kaspersky: HEUR:Trojan-Ransom.Win32.Cryptor.vho
+ Mcafee: clean
- Sophos: Troj/Ryuk-BK
- Symantec: Ransom.Ryuk
+ Trendmicro: clean
- Windefender: Ransom:Win32/Ruyk.A!ibt| Property | Value |
|---|---|
| Size | 393216 bytes |
| CRC32 | 0x794678da |
| MD5 | 5ac0f050f93f86e69026faea1fbb4450 |
| SHA1 | 9709774fde9ec740ad6fed8ed79903296ca9d571 |
| SHA256 | 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2 |
| SHA512 | b554487c4e26a85ec5179cdcc1d25b5bc494e8821a8899fbbf868c3cf41f70cc72db107613b3f6655d3ab70f4db94cce2589066bb354b1ed955098d3911b844d |
| Ssdeep | 6144:f5yaXtrA/WSo1rl3ALrlHQpn0BwK3SBDmhYfFQC:fTX6WSofcZ+KCIGD |
| Magic | PE32 executable (GUI) Intel 80386, for MS Windows |
| Packer | PE: compiler: Microsoft Visual C/C++(2015 v.14.0)[-] PE: linker: Microsoft Linker(14.0, Visual Studio 2015 14.0*)[EXE32] |
| TrID | 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1) |
- Avast: Win32:RansomX-gen [Ransom]
- Avira: TR/AD.Ryuk.mcfkb
- Bitdefender: Trojan.Ransom.Ryuk.A
- Clamav: Win.Ransomware.Ryuk-6688842-0
- Comodo: Malware
- Drweb: Trojan.Encoder.10700
- Eset: Win32/GenKryptik.CSZN
- Fsecure: Trojan.TR/AD.Ryuk.mcfkb
- Kaspersky: UDS:Trojan.Win32.Invader
- Mcafee: Ransom-Ryuk
- Sophos: Troj/Ransom-FAB
- Symantec: Trojan.Cridex
- Trendmicro: Ransom_RYUK.THHBAAH
- Windefender: Trojan:MSIL/Cryptor| Property | Value |
|---|---|
| Size | 385504 bytes |
| CRC32 | 0xea7f4399 |
| MD5 | 7d3f19b760cb1958a2c4d9ca7492c406 |
| SHA1 | c3fa91438850c88c81c0712204a273e382d8fa7b |
| SHA256 | f8bc1638ec3b04412f708233e8586e1d91f18f6715d68cba1a491d4a7f457da0 |
| SHA512 | 64d14a7a3866c76d45bea7bee19d40f63241c777d8d259a8a79279cac51396fe9469f28fc68eaa8ab688af13a47c4c5af0d62005d93a4649f81e411b8f2eae91 |
| Ssdeep | 6144:jwHqh+1uu3RVmPY55eExdAev5wuSiRqAO1iNgLTBs4LhVJqRcelLQMo8:P+1uu3RVmPYaad5wuSiRqLNeRcZMo8 |
| Magic | PE32 executable (GUI) Intel 80386, for MS Windows |
| Packer | PE: compiler: Microsoft Visual C/C++(-)[-] PE: linker: Microsoft Linker(14.27**)[EXE32,signed] |
| TrID | 40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3) |
- Avast: Win32:RansomX-gen [Ransom]
- Avira: TR/Ransom.Ryuk.nmqfx
- Bitdefender: Trojan.GenericKD.34621774
- Clamav: Win.Ransomware.Ryuk-9774780-0
- Comodo: Malware
- Drweb: Trojan.Encoder.32849
- Eset: Win32/Filecoder.Ryuk.J
- Fsecure: Trojan.TR/Ransom.Ryuk.nmqfx
- Kaspersky: Trojan.Win32.Zenpak.bgcx
- Mcafee: Generic dropper.avg
- Sophos: Troj/Ryuk-BD
- Symantec: Ransom.Ryuk
- Trendmicro: Ransom.Win32.RYUK.WLDE
- Windefender: Ransom:Win32/Ryuk.G!MSR- https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis.html
- https://community.riskiq.com/article/0bcefe76
- https://fourcore.io/blogs/ryuk-ransomware-simulation-mitre-ttp
- [https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Ryuk%20Ransomware%20-%20API%20Resolving%20and%20Imports%20reconstruction/Ryuk%20Ransomware%20-%20API%20Resolving%20and%20Imports%20reconstruction.md - https://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/](https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/Ryuk%20Ransomware%20-%20API%20Resolving%20and%20Imports%20reconstruction/Ryuk%20Ransomware%20-%20API%20Resolving%20and%20Imports%20reconstruction.md - https://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/)
- https://heimdalsecurity.com/blog/ryuk-ransomware/
- https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/
- https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit___John_Hammond_Huntress___Analyzing_Ryuk.pdf
- https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
- https://thedfirreport.com/2020/10/08/ryuks-return/
- https://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/
- https://unit42.paloaltonetworks.com/ryuk-ransomware/
- https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf
- https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
- https://www.fortinet.com/blog/threat-research/ryuk-revisited-analysis-of-recent-ryuk-attack
- https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf
- https://www.researchgate.net/profile/Joshua-Smith-48/publication/351038229_Ryuk_Ransomware_Analysis/links/608096398ea909241e16c2ab/Ryuk-Ransomware-Analysis.pdf
- https://www.sentinelone.com/cybersecurity-101/ryuk-ransomware/
- https://www.sentinelone.com/labs/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/
- https://www.trendmicro.com/en_au/what-is/ransomware/ryuk-ransomware.html
- https://www.zscaler.fr/blogs/security-research/examining-ryuk-ransomware