Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент Ryuk
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
Ryuk
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Ryuk

Ryuk is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. Ryuk shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)
ID: S0446
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 13 May 2020
Last Modified: 24 May 2022

Techniques Used
Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Ryuk has used the Windows command line to create a Registry entry under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence.(Citation: CrowdStrike Ryuk January 2019)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Ryuk has used cmd.exe to create a Registry entry to establish persistence.(Citation: CrowdStrike Ryuk January 2019)
Enterprise T1222 .001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Ryuk can launch icacls /grant Everyone:F /T /C /Q to delete every access-based restrictions on files and directories.(Citation: ANSSI RYUK RANSOMWARE)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Ryuk has stopped services related to anti-virus.(Citation: FireEye Ryuk and Trickbot January 2019)
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Ryuk has constructed legitimate appearing installation folder paths by calling GetWindowsDirectoryW and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as C:\Users\Public.(Citation: CrowdStrike Ryuk January 2019)
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Ryuk has used the C$ network share for lateral movement.(Citation: Bleeping Computer - Ryuk WoL)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Ryuk can remotely create a scheduled task to execute itself on a system.(Citation: ANSSI RYUK RANSOMWARE)
Enterprise T1614 .001 System Location Discovery: System Language Discovery

Ryuk has been observed to query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and the value InstallLanguage. If the machine has the value 0x419 (Russian), 0x422 (Ukrainian), or 0x423 (Belarusian), it stops execution.(Citation: CrowdStrike Ryuk January 2019)
Enterprise T1078 .002 Valid Accounts: Domain Accounts

Ryuk can use stolen domain admin accounts to move laterally within a victim domain.(Citation: ANSSI RYUK RANSOMWARE)

Groups That Use This Software
ID Name References
G0102 Wizard Spider

(Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: CrowdStrike Ryuk January 2019) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: CrowdStrike Wizard Spider October 2020) (Citation: Sophos New Ryuk Attack October 2020) (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk in 5 Hours October 2020) (Citation: DFIR Ryuk's Return October 2020)

G0037 FIN6

(Citation: FireEye FIN6 Apr 2019)

References

  1. Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.
  2. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
  3. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  4. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  5. ANSSI. (2021, February 25). RYUK RANSOMWARE. Retrieved March 29, 2021.
  6. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
  7. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  8. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  9. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  10. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
  11. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  12. The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.
  13. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.