Ryuk is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. Ryuk shares code similarities with Hermes ransomware.[1][2][3]

ID: S0446
Platforms: Windows
Version: 1.0
Created: 13 May 2020
Last Modified: 18 May 2020

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

Ryuk has attempted to adjust its token privileges to have the SeDebugPrivilege.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Ryuk has used the Windows command line to create a Registry entry under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Ryuk has used cmd.exe to create a Registry entry to establish persistence.[1]

Enterprise T1486 Data Encrypted for Impact

Ryuk has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.[1]

Enterprise T1083 File and Directory Discovery

Ryuk has called GetLogicalDrives to emumerate all mounted drives, and GetDriveTypeW to determine the drive type.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Ryuk has stopped services related to anti-virus.[2]

Enterprise T1490 Inhibit System Recovery

Ryuk has used vssadmin Delete Shadows /all /quiet to to delete volume shadow copies and vssadmin resize shadowstorage to force deletion of shadow copies created by third-party applications.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Ryuk has constructed legitimate appearing installation folder paths by calling GetWindowsDirectoryW and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as C:\Users\Public.[1]

Enterprise T1106 Native API

Ryuk has used multiple native APIs including ShellExecuteW to run executables,GetWindowsDirectoryW to create folders, and VirtualAlloc, WriteProcessMemory, and CreateRemoteThread for process injection.[1]

Enterprise T1057 Process Discovery

Ryuk has called CreateToolhelp32Snapshot to enumerate all running processes.[1]

Enterprise T1055 Process Injection

Ryuk has injected itself into remote processes to encrypt files using a combination of VirtualAlloc, WriteProcessMemory, and CreateRemoteThread.[1]

Enterprise T1489 Service Stop

Ryuk has called kill.bat for stopping services, disabling services and killing processes.[1]

Enterprise T1016 System Network Configuration Discovery

Ryuk has called GetIpNetTable in attempt to identify all mounted drives and hosts that have Address Resolution Protocol (ARP) entries.[1]

Groups That Use This Software

ID Name References
G0102 Wizard Spider


G0037 FIN6