Ryuk
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Ryuk has used the Windows command line to create a Registry entry under |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Ryuk has used |
Enterprise | T1222 | .001 | File and Directory Permissions Modification: Windows File and Directory Permissions Modification |
Ryuk can launch |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Ryuk has stopped services related to anti-virus.(Citation: FireEye Ryuk and Trickbot January 2019) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Ryuk has constructed legitimate appearing installation folder paths by calling |
Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
Ryuk has used the C$ network share for lateral movement.(Citation: Bleeping Computer - Ryuk WoL) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Ryuk can remotely create a scheduled task to execute itself on a system.(Citation: ANSSI RYUK RANSOMWARE) |
Enterprise | T1614 | .001 | System Location Discovery: System Language Discovery |
Ryuk has been observed to query the registry key |
Enterprise | T1078 | .002 | Valid Accounts: Domain Accounts |
Ryuk can use stolen domain admin accounts to move laterally within a victim domain.(Citation: ANSSI RYUK RANSOMWARE) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0102 | Wizard Spider |
(Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: CrowdStrike Ryuk January 2019) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: Microsoft Ransomware as a Service) (Citation: CrowdStrike Wizard Spider October 2020) (Citation: Sophos New Ryuk Attack October 2020) (Citation: Mandiant FIN12 Oct 2021) (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk in 5 Hours October 2020) (Citation: DFIR Ryuk's Return October 2020) |
G0037 | FIN6 |
(Citation: FireEye FIN6 Apr 2019) |
References
- Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.
- Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
- Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
- McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
- Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
- ANSSI. (2021, February 25). RYUK RANSOMWARE. Retrieved March 29, 2021.
- Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
- DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
- Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
- Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
- Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
- Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
- The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
- The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.
- The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.