Currently viewing ATT&CK v7.2 which was live between July 8, 2020 and October 26, 2020. Learn more about the versioning system or see the live site.
Register to stream the next session of ATT&CKcon Power Hour November 12
SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. Ryuk

Ryuk

Ryuk is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. Ryuk shares code similarities with Hermes ransomware.[1][2][3]

ID: S0446
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 13 May 2020
Last Modified: 18 May 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

Ryuk has attempted to adjust its token privileges to have the SeDebugPrivilege.[1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Ryuk has used the Windows command line to create a Registry entry under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Ryuk has used cmd.exe to create a Registry entry to establish persistence.[1]
Enterprise T1486 Data Encrypted for Impact

Ryuk has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.[1]
Enterprise T1083 File and Directory Discovery

Ryuk has called GetLogicalDrives to emumerate all mounted drives, and GetDriveTypeW to determine the drive type.[1]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Ryuk has stopped services related to anti-virus.[2]
Enterprise T1490 Inhibit System Recovery

Ryuk has used vssadmin Delete Shadows /all /quiet to to delete volume shadow copies and vssadmin resize shadowstorage to force deletion of shadow copies created by third-party applications.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Ryuk has constructed legitimate appearing installation folder paths by calling GetWindowsDirectoryW and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as C:\Users\Public.[1]
Enterprise T1106 Native API

Ryuk has used multiple native APIs including ShellExecuteW to run executables,GetWindowsDirectoryW to create folders, and VirtualAlloc, WriteProcessMemory, and CreateRemoteThread for process injection.[1]
Enterprise T1057 Process Discovery

Ryuk has called CreateToolhelp32Snapshot to enumerate all running processes.[1]
Enterprise T1055 Process Injection

Ryuk has injected itself into remote processes to encrypt files using a combination of VirtualAlloc, WriteProcessMemory, and CreateRemoteThread.[1]
Enterprise T1489 Service Stop

Ryuk has called kill.bat for stopping services, disabling services and killing processes.[1]
Enterprise T1016 System Network Configuration Discovery

Ryuk has called GetIpNetTable in attempt to identify all mounted drives and hosts that have Address Resolution Protocol (ARP) entries.[1]

Groups That Use This Software

ID Name References
G0102 Wizard Spider

[1]
G0037 FIN6

[3]

References

  1. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  2. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
  1. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.