|Enterprise||T1134||Access Token Manipulation|
|Enterprise||T1547||.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|
|Enterprise||T1059||.003||Command and Scripting Interpreter: Windows Command Shell|
|Enterprise||T1486||Data Encrypted for Impact||
Ryuk has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.
|Enterprise||T1083||File and Directory Discovery|
|Enterprise||T1222||.001||File and Directory Permissions Modification: Windows File and Directory Permissions Modification|
|Enterprise||T1562||.001||Impair Defenses: Disable or Modify Tools|
|Enterprise||T1490||Inhibit System Recovery|
|.005||Match Legitimate Name or Location||
Ryuk has constructed legitimate appearing installation folder paths by calling
Ryuk has used multiple native APIs including
|Enterprise||T1021||.002||Remote Services: SMB/Windows Admin Shares|
|Enterprise||T1053||.005||Scheduled Task/Job: Scheduled Task|
|Enterprise||T1016||System Network Configuration Discovery|
|Enterprise||T1078||.002||Valid Accounts: Domain Accounts|
Groups That Use This Software
- Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
- Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
- McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
- ANSSI. (2021, February 25). RYUK RANSOMWARE. Retrieved March 29, 2021.
- Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.
- Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
- DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
- Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
- The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
- The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
- The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.
- Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.