Ryuk | Threat Level: critical | Type: Ransomware

Cryptographic Identifiers

SHA256a9643eb83d509ad4eac20a2a89d8571f8d781979ad078e89f5b75b4bcb16f65e
MD5987336d00fdbec3bcdb95b078f7de46f
File Typeexe
Size548.3 KB
First Seen2023-03-09
File NameRyuk.bin
TagsRyuk, signed

Malware Family: Ryuk

Ryuk, hastane hedefler.

TypeRansomware
Programming LanguageC
Target PlatformWindows
C2 Protocol
PurposeHastane ransomware
First Seen Year2018

Threat Indicators (IOC)

  • SHA256: a9643eb83d509ad4eac20a2a89d8571f8d781979ad078e89f5b75b4bcb16f65e
  • MD5: 987336d00fdbec3bcdb95b078f7de46f

You can verify all hash values of this sample on VirusTotal.

System Cleanup Guide

  1. Sistemi ağdan DERHAL ayırın — diğer cihazlara yayılmayı durdurun
  2. Do not pay the ransom — there is no guarantee your files will be restored
  3. Quarantine the affected drives
  4. Kullanılan fidye yazılımı ailesini belirleyin (nomoreransom.org)
  5. Try available decryptor tools (the NoMoreRansom project)
  6. Report the incident to the authorities (cybercrime unit)
  7. Temiz bir yedekten kurtarın; yedeğiniz yoksa sürücüyü saklayın

YARA Rule Hints

rule Ryuk_SHA256 {
    meta:
        description = "Ryuk sample: a9643eb83d509ad4"
        threat_level = "critical"
        first_seen = "2023-03-09"
    condition:
        hash.sha256(0, filesize) == "a9643eb83d509ad4eac20a2a89d8571f8d781979ad078e89f5b75b4bcb16f65e"
}

Ryuk — Malware Profile

Wizard Spider threat group ransomware (2018+). Targets large enterprises, hospitals, municipalities. RyukReadMe.html ransom note. VirtualAllocEx+WriteProcessMemory+CreateRemoteThread injection. GetIpNetTable ARP scan for lateral movement. AdjustTokenPrivileges for SeBackupPrivilege/SeDebugPrivilege.

Malware Type
Ransomware
Programming Language
C
C2 Protocol
Target Systems
Windows

Technical Details

Ryuk ransomware emerged August 2018, operated by WIZARD SPIDER (TrickBot operators). Targeted large organizations for high ransoms ($100K-$12.5M+ per victim). Distribution: delivered via TrickBot/BazarLoader infections (human-operated). Encryption: RSA-2048 + AES-256 (CBC mode), unique key per file. Stops 40+ Windows services (backup, antivirus, database) and kills >180 processes. Deletes volume shadow copies (vssadmin delete shadows /all /Quiet). Disables Windows recovery: bcdedit /set {default} recoveryenabled No. Network propagation: uses Wake-on-LAN to activate sleeping network hosts for encryption. Believed based on Hermes ransomware sold by a North Korean-linked actor on underground forums. Predecessor to Conti ransomware which emerged from WIZARD SPIDER's operations in 2020.

Attribution / Threat Actor

WIZARD SPIDER (linked to Hermes/Lazarus initial code)

Capabilities & Behavior

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

IOC List (2 indicators)

IOC — Ryuk
# SHA256 a9643eb83d509ad4eac20a2a89d8571f8d781979ad078e89f5b75b4bcb16f65e # MD5 987336d00fdbec3bcdb95b078f7de46f
TypeValueNote
sha256 a9643eb83d509ad4eac20a2a89d8571f8d781979ad078e89f5b75b4bcb16f65e Sample:Ryuk
md5 987336d00fdbec3bcdb95b078f7de46f Sample:Ryuk

C2 Servers (2 recorded servers for this family)

Address Type Port Protocol Status Country
51.161.204.106 ip 443 HTTPS sinkholed CA
162.119.249.198 ip 443 HTTPS sinkholed US

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
ryukransomwaremalwarecriticalsha256hash-analizi