{"id":7551,"date":"2021-04-16T20:38:37","date_gmt":"2021-04-17T03:38:37","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7551"},"modified":"2023-04-05T12:40:31","modified_gmt":"2023-04-05T19:40:31","slug":"all-about-ryuk-ransomware","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/all-about-ryuk-ransomware\/","title":{"rendered":"All About Ryuk Ransomware"},"content":{"rendered":"<blockquote>\n<p dir=\"ltr\"><span style=\"font-size: 20px;\">Did you know that in 2020 Ryuk ransomware targeted 67.3 million targets?<\/span><\/p>\n<\/blockquote>\n<h2 dir=\"ltr\">What is Ryuk?<\/h2>\n<p dir=\"ltr\">Ryuk is a crypto-ransomware strain that encrypts access to a system, device or a file and demands ransom to release it. Ryuk is unleashed on target assets through malware, notably TrickBot and is used to gain access to a system through remote desktop services.<\/p>\n<p dir=\"ltr\">Ryuk typically targets vulnerable organizations or critical entities like hospitals where the probability of ransom payout is high. And since the ransom is their primary motive they demand more than any other ransomware threat group. The ransom amount oscillates between $100,00 to $500,00 in bitcoins and they are very successful in their campaigns because they select high-profile targets for whom data and information is sacrosanct and hence the chance of the payout is high.<\/p>\n<p dir=\"ltr\">Ryuk debuted in mid-August 2018 and was being operated by Wizard Spider, a sophisticated group that targeted large organizations with critical and sensitive data for high ransom payouts.<\/p>\n<p dir=\"ltr\">The creation of Ryuk is generally attributed to a cybercriminal group known as CryptoTech who were selling Hermes 2.1 in underground forums but there are researchers who believe that it was created by the Russian cyber criminal cartel.<\/p>\n<h2 dir=\"ltr\">New Variant<\/h2>\n<p dir=\"ltr\">Researchers noted that since July 2020, a new variant called Conti has been making the rounds. The consensus among security experts is that Ryuk threat actors have rebranded themselves as Conti ransomware.<\/p>\n<p dir=\"ltr\">Conti is a private Ransomware as a Service (RaaS) that encrypts files and delivers the ransom note.<\/p>\n<p dir=\"ltr\">The converging similarities in Ryuk and Conti can be seen through features &#8211;<\/p>\n<ul>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Encrypts files stored on network<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Disables backup and OS services<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Can be manually deployed<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Infects local disks<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Linked to same developer group based on the malware code<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">AES-256 encryption key being used<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Same ransom text template is observed<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Both use TrickBot framework<\/p>\n<\/li>\n<\/ul>\n<h2 dir=\"ltr\">How does Ryuk attack?<\/h2>\n<p dir=\"ltr\">Ryuk is primarily spread through malware that drops the ransomware on the existing infected system. Here is how it attacks &#8211;<\/p>\n<p dir=\"ltr\"><img decoding=\"async\" style=\"width: 900px; height: 416px;\" src=\"https:\/\/cybersecurityworks.com\/howdymanage\/uploads\/image\/blogs\/ryuk-attack-methodology1.png\" alt=\"\" \/><\/p>\n<p dir=\"ltr\">Once the files in the system are encrypted it will create the ransom note, &#8220;RyukReadMe.txt&#8221; and place it in every folder.<\/p>\n<p dir=\"ltr\"><b id=\"docs-internal-guid-55569862-7fff-e6fe-c93e-8e7744564484\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/RW0QbBBkb9DT4P5o2LUNnfxUcZvJD4pUgNtKst8H1cRwMBaYlCWRKxLTTX_GpkNyZKKVyqZnihYhe5IMZYNEP8imFnCOxDHCKKDcWnekxoe2LpoMX3S6_zdfUIdmc9LHNN_E7DmeegOsPhKPN2I8sw\" width=\"602\" height=\"420\" \/><\/b><\/p>\n<h2 dir=\"ltr\">Ryuk MITRE ATT&amp;CK Mapping<\/h2>\n<table style=\"width: 100%;\" border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<th style=\"text-align: center; vertical-align: middle;\" scope=\"col\"><span style=\"font-size: 12px;\">ATT&amp;CK Tactic Category<\/span><\/th>\n<th style=\"white-space: nowrap; text-align: center; vertical-align: middle;\" scope=\"col\"><span style=\"font-size: 12px;\">Techniques<\/span><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align: justify; vertical-align: middle;\">\n<p style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">Privilege Escalation<\/span><\/p>\n<\/td>\n<td style=\"text-align: justify; vertical-align: middle;\">\n<p style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">T1134 &#8211; Access Token Manipulation<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: justify; vertical-align: middle;\">\n<p style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">Persistence<\/span><\/p>\n<\/td>\n<td style=\"text-align: justify; vertical-align: middle;\">\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">T1547 &#8211; <a href=\"https:\/\/attack.mitre.org\/techniques\/T1547\" rel=\"unfollow\">Boot or Logon Autostart\u00a0\u00a0\u00a0<\/a><\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 12px;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<a href=\"https:\/\/attack.mitre.org\/techniques\/T1547\">Execution<\/a>: <a href=\"https:\/\/attack.mitre.org\/techniques\/T1547\/001\" rel=\"unfollow\">Registry Run Keys<\/a><\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 12px;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\/<a href=\"https:\/\/attack.mitre.org\/techniques\/T1547\/001\" rel=\"unfollow\">Startup Folder<\/a><\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">T1059 &#8211; <a href=\"https:\/\/attack.mitre.org\/techniques\/T1059\" rel=\"unfollow\">Command and Scripting\u00a0<\/a><\/span><\/p>\n<p dir=\"ltr\"><span style=\"font-size: 12px;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<a href=\"https:\/\/attack.mitre.org\/techniques\/T1059\" rel=\"unfollow\">Interpreter<\/a>: <a href=\"https:\/\/attack.mitre.org\/techniques\/T1059\/003\" rel=\"unfollow\">Windows Command\u00a0<\/a><\/span><\/p>\n<p><span style=\"font-size: 12px;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<a href=\"https:\/\/attack.mitre.org\/techniques\/T1059\/003\">Shell<\/a><\/span><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: justify; vertical-align: middle;\">\n<p style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">Impact<\/span><\/p>\n<\/td>\n<td style=\"text-align: justify; vertical-align: middle;\">\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">T1486 &#8211; <a href=\"https:\/\/attack.mitre.org\/techniques\/T1486\" rel=\"unfollow\">Data Encrypted for Impact<\/a><\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">T1490 &#8211; <a href=\"https:\/\/attack.mitre.org\/techniques\/T1490\" rel=\"unfollow\">Inhibit System Recovery<\/a><\/span><\/p>\n<p style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">T1489 &#8211; <a href=\"https:\/\/attack.mitre.org\/techniques\/T1489\" rel=\"unfollow\">Service Stop<\/a><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: justify; vertical-align: middle;\">\n<p style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">Discovery<\/span><\/p>\n<\/td>\n<td style=\"text-align: justify; vertical-align: middle;\">\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">T1083 &#8211; <a href=\"https:\/\/attack.mitre.org\/techniques\/T1083\" rel=\"unfollow\">File and Directory Discovery<\/a><\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">T1057 &#8211; <a href=\"https:\/\/attack.mitre.org\/techniques\/T1057\" rel=\"unfollow\">Process Discovery<\/a><\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">T1016 &#8211; <a href=\"https:\/\/attack.mitre.org\/techniques\/T1016\" rel=\"unfollow\">System Network Configuration\u00a0Discovery<\/a><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: justify; vertical-align: middle;\">\n<p style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">Defense Evasion<\/span><\/p>\n<\/td>\n<td style=\"text-align: justify; vertical-align: middle;\">\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">T1562 &#8211; <a href=\"https:\/\/attack.mitre.org\/techniques\/T1562\" rel=\"unfollow\">Impair Defenses<\/a>: <a href=\"https:\/\/attack.mitre.org\/techniques\/T1562\/001\" rel=\"unfollow\">Disable or\u00a0<\/a><\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<a href=\"https:\/\/attack.mitre.org\/techniques\/T1562\/001\">Modify Tools<\/a><\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">T1036 &#8211; <a href=\"https:\/\/attack.mitre.org\/techniques\/T1036\" rel=\"unfollow\">Masquerading<\/a>: <a href=\"https:\/\/attack.mitre.org\/techniques\/T1036\/005\" rel=\"unfollow\">Match\u00a0<\/a><\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<a href=\"https:\/\/attack.mitre.org\/techniques\/T1036\/005\" rel=\"unfollow\">Legitimate Name or Location<\/a><\/span><\/p>\n<p style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">T1055 &#8211; <a href=\"https:\/\/attack.mitre.org\/techniques\/T1055\" rel=\"unfollow\">Process Injection<\/a><\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align: justify; vertical-align: middle;\">\n<p style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">Execution<\/span><\/p>\n<\/td>\n<td style=\"text-align: justify; vertical-align: middle;\">\n<p style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">T1106 &#8211; <a href=\"https:\/\/attack.mitre.org\/techniques\/T1106\" rel=\"unfollow\">Native API<\/a><\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<div id=\"code_area\">\n<h2 dir=\"ltr\">Ryuk &#8211; A Cheat Sheet<\/h2>\n<ol>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Ryuk has within its arsenal 17 CVEs that it exploits to mount attacks on its victims.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">The year of discovery of these CVEs range from 2013 to 2020.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Six CVEs are Remote Code Execution Exploits (RCE) and one CVE is a Privilege Execution.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">57% of CVEs that are in Ryuk\u2019s arsenal are rated critical, 5 are medium and 1 of low severity.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Five CVEs in numerical order (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147) are tied to five APT groups.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Seven CVEs exist in Microsoft products such as Windows Vista, Windows Server (2007, 2008, 20012, 2010, 2016, 2019 ) Internet explorer, Microsoft Edge etc.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">Five CVEs are weaknesses that exist in multiple products such as Novell, Fedoraproject, Debian, Canonical, Huawei, Gentoo, Oracle, Amazon, IBM, Openbsd, Winscp, Netapp, redhat, VMware, synology, samba etc.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">External Blue kit is used to exploit vulnerabilities &#8211; CVE-2017-0143 and CVE-2017-0144.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">All 17 CVEs have patches and it is recommended that they be prioritized for remediation immediately.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">CWE &#8211; 20 is the most exploited weakness among the Ryuk associated CVEs which topped third in the Top 25 Common Weakness Enumeration.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">CVE-2020-1472 is a recent CVE added in Ryuk\u2019s arsenal while the rest are old. This brings the focus back to cyber hygiene that needs to be practiced diligently.<\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\">\u00a0CVE-2018-1156 and CVE-2018-14847 are RCE bugs where Ryuk comprises an unpatched Mikrotik router and turns it into a command and control server that infects with rootkits.<\/p>\n<\/li>\n<\/ol>\n<\/div>\n<p dir=\"ltr\" style=\"text-align: center;\"><a href=\"https:\/\/cybersecurityworks.com\/ransomware\/\" rel=\"unfollow\">Check out our Spotlight Ransomware report for more!<\/a><\/p>\n<h2 dir=\"ltr\">Threat Groups &amp; APT Groups<\/h2>\n<p dir=\"ltr\">Ryuk is associated with the following threat and APT groups, which use Ryuk to launch complex cybersecurity attacks on vulnerable organizations with critical information and data.<\/p>\n<table style=\"width: 100%;\" border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<thead>\n<tr>\n<th style=\"text-align: center; vertical-align: middle;\" colspan=\"2\" rowspan=\"1\" scope=\"col\"><span style=\"font-size: 12px;\"><b id=\"docs-internal-guid-25c319e4-7fff-52b9-09af-722d375de8a6\">Threat Groups<\/b><\/span><\/th>\n<th style=\"text-align: center; vertical-align: middle;\" scope=\"col\"><span style=\"font-size: 12px;\"><b id=\"docs-internal-guid-8b3257cf-7fff-69a6-3810-0f4351f733f2\">APT Groups<\/b><\/span><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>\n<ol>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><span style=\"font-size: 12px;\">Gothic Panda<\/span><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><span style=\"font-size: 12px;\">Pirpi<\/span><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><span style=\"font-size: 12px;\">UPS Team<\/span><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><span style=\"font-size: 12px;\">Buckeye<\/span><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><span style=\"font-size: 12px;\">Threat Group-0110<\/span><\/p>\n<\/li>\n<\/ol>\n<\/td>\n<td>\n<ol start=\"6\">\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><span style=\"font-size: 12px;\">TG-0110<\/span><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><span style=\"font-size: 12px;\">HIDDEN COBRA<\/span><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><span style=\"font-size: 12px;\">Guardians of Peace<\/span><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><span style=\"font-size: 12px;\">ZINC<\/span><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><span style=\"font-size: 12px;\">NICKEL ACADEMY<\/span><\/p>\n<\/li>\n<\/ol>\n<\/td>\n<td>\n<ol>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><span style=\"font-size: 12px;\">APT3\u00a0<\/span><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><span style=\"font-size: 12px;\">APT10<\/span><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><span style=\"font-size: 12px;\">Stone Panda\u00a0<\/span><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><span style=\"font-size: 12px;\">Shadow Brokers<\/span><\/p>\n<\/li>\n<li dir=\"ltr\" aria-level=\"1\">\n<p dir=\"ltr\" role=\"presentation\"><span style=\"font-size: 12px;\">Lazarus Group (APT37 &amp; APT38)<\/span><\/p>\n<\/li>\n<\/ol>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 dir=\"ltr\"><\/h2>\n<h2 dir=\"ltr\">How to detect Ryuk in your environment<\/h2>\n<p dir=\"ltr\">Here are some types of IoCs that will alert you about malicious objects on endpoints:<\/p>\n<table style=\"width: 100%;\" border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td style=\"white-space: nowrap;\">\n<p style=\"margin-left: 40px;\"><strong><span style=\"font-size: 12px;\">Ryuk payload<\/span><\/strong><\/p>\n<\/td>\n<td style=\"text-align: left; vertical-align: middle;\">\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\"><strong>SHA256:<\/strong> BDDAF6020F8DF169E1901C709701240F1A810D0E0FCEC7D4479D5354360E1795<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\"><strong>Registry:<\/strong> HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\"><strong>MD5:\u00a0<\/strong><\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">795db7bdad1befdd3ad942be79715f6b0c5083d859901b81657b590c9628790f<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">501e925e5de6c824b5eeccb3ccc5111cf6e312258c0877634935df06b9d0f8b9<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">Fe909d18cf0fde089594689f9a69fbc6d57b69291a09f3b9df1e9b1fb724222b<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">c0202cf6aeab8437c638533d14563d35<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">d348f536e214a47655af387408b4fca5<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">958c594909933d4c82e93c22850194aa<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">86c314bc2dc37ba84f7364acd5108c2b<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">29340643ca2e6677c19e1d3bf351d654<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">cb0c1248d3899358a375888bb4e8f3fe<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">1354ac0d5be0c8d03f4e3aba78d2223e<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">cb0c1248d3899358a375888bb4e8f3fe<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">d4a7c85f23438de8ebb5f8d6e04e55fc<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">3895a370b0c69c7e23ebb5ca1598525d<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">567407d941d99abeff20a1b836570d30<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">c0d6a263181a04e9039df3372afb8016<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"white-space: nowrap;\">\n<p style=\"margin-left: 40px; text-align: left;\"><strong><span style=\"font-size: 12px;\">Ryuk-related IPs<\/span><\/strong><\/p>\n<\/td>\n<td style=\"white-space: nowrap;\">\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">200[.]107[.]59[.]130:449<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">5[.]196[.]154[.]93\u00a0<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">94[.]103[.]94[.]154<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">186[.]42[.]186[.]202:449\u00a0<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">177[.]52[.]79[.]29:449<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">187[.]8[.]169[.]10:449<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">187[.]65[.]49[.]88:449\u00a0<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">200[.]83[.]49[.]141:449<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">200[.]35[.]56[.]81:449\u00a0<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">177[.]183[.]194[.]194:449<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">200[.]110[.]72[.]134:449\u00a0<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">186[.]248[.]163[.]198:449<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">191[.]241[.]233[.]195:449\u00a0<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">187[.]95[.]32[.]18:449\u00a0<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">187[.]95[.]123[.]179:449\u00a0\u00a0<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">177[.]52[.]28[.]238:449<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"white-space: nowrap;\">\n<p style=\"margin-left: 40px; text-align: left;\"><span style=\"font-size: 12px;\"><strong>Ryuk-related file paths\u00a0<\/strong> \u00a0\u00a0<\/span><\/p>\n<\/td>\n<td>\n<p style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">c:\\Windows\\System32\\setup.exe c:\\Users\\Default\\AppData\\Roaming\\msnet\\uetur.exe c:\\Users\\*\\AppData\\Roaming\\msnet\\uetur.exe c:\\Users\\*\\AppData\\Roaming\\msnet c:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\msnet\\uetut.exe c:\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\msnet c:\\Windows\\System32\\Tasks\\Ms net<\/span><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td style=\"white-space: nowrap;\">\n<p style=\"margin-left: 40px; text-align: left;\"><strong><span style=\"font-size: 12px;\">Ryuk-related web files<\/span><\/strong><\/p>\n<\/td>\n<td style=\"white-space: nowrap;\">\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">\/login\/process.php\u00a0<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">\/admin\/get.php\u00a0<\/span><\/p>\n<p dir=\"ltr\" style=\"margin-left: 40px;\"><span style=\"font-size: 12px;\">\/news.php<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p dir=\"ltr\" style=\"text-align: justify;\">Today, Ryuk is being sold on the dark web in a ransomware as a service affiliate model business and it is empowering threat actors to go after vulnerable and critical entities like hospitals. Organizations need to recognize the threat, understand the risks, and prioritize preventions and measures that will protect them against Ryuk. Our researchers have spotlighted the threats that are influencing the growth of ransomware.<\/p>\n<h2 dir=\"ltr\" style=\"text-align: center;\"><a href=\"https:\/\/cybersecurityworks.com\/ransomware\/\" rel=\"unfollow\">Check out our path-breaking Ransomware Spotlight report.<\/a><\/h2>\n<h2 dir=\"ltr\" style=\"text-align: center;\"><a href=\"https:\/\/cybersecurityworks.com\/resources\/datasheets\/ransomware-defense-review.html\">Are you susceptible to Ryuk?\u00a0Find out now!<\/a><\/h2>\n","protected":false},"excerpt":{"rendered":"<p>Ryuk is a crypto-ransomware strain that encrypts access to a system, device, or file through malware and demands ransom to release it.<\/p>\n","protected":false},"author":1,"featured_media":14366,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":""},"categories":[80,117],"tags":[623,107,408,116,357,91,405,350,353,132],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7551"}],"collection":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/comments?post=7551"}],"version-history":[{"count":7,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7551\/revisions"}],"predecessor-version":[{"id":14496,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/posts\/7551\/revisions\/14496"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media\/14366"}],"wp:attachment":[{"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/media?parent=7551"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/categories?post=7551"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/10.42.32.162\/wp-json\/wp\/v2\/tags?post=7551"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}