S0446 Ryuk
Ryuk is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. Ryuk shares code similarities with Hermes ransomware.324
| Item | Value |
|---|---|
| ID | S0446 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.3 |
| Created | 13 May 2020 |
| Last Modified | 24 May 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1134 | Access Token Manipulation | Ryuk has attempted to adjust its token privileges to have the SeDebugPrivilege.3 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Ryuk has used the Windows command line to create a Registry entry under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence.3 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Ryuk has used cmd.exe to create a Registry entry to establish persistence.3 |
| enterprise | T1486 | Data Encrypted for Impact | Ryuk has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.36 |
| enterprise | T1083 | File and Directory Discovery | Ryuk has enumerated files and folders on all mounted drives.3 |
| enterprise | T1222 | File and Directory Permissions Modification | - |
| enterprise | T1222.001 | Windows File and Directory Permissions Modification | Ryuk can launch icacls to delete every access-based restrictions on files and directories.5 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Ryuk has stopped services related to anti-virus.2 |
| enterprise | T1490 | Inhibit System Recovery | Ryuk has used vssadmin Delete Shadows /all /quiet to to delete volume shadow copies and vssadmin resize shadowstorage to force deletion of shadow copies created by third-party applications.3 |
| enterprise | T1036 | Masquerading | Ryuk can create .dll files that actually contain a Rich Text File format document.5 |
| enterprise | T1036.005 | Match Legitimate Name or Location | Ryuk has constructed legitimate appearing installation folder paths by calling GetWindowsDirectoryW and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as C:\Users\Public.3 |
| enterprise | T1106 | Native API | Ryuk has used multiple native APIs including ShellExecuteW to run executables,GetWindowsDirectoryW to create folders, and VirtualAlloc, WriteProcessMemory, and CreateRemoteThread for process injection.3 |
| enterprise | T1027 | Obfuscated Files or Information | Ryuk can use anti-disassembly and code transformation obfuscation techniques.6 |
| enterprise | T1057 | Process Discovery | Ryuk has called CreateToolhelp32Snapshot to enumerate all running processes.3 |
| enterprise | T1055 | Process Injection | Ryuk has injected itself into remote processes to encrypt files using a combination of VirtualAlloc, WriteProcessMemory, and CreateRemoteThread.3 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.002 | SMB/Windows Admin Shares | Ryuk has used the C$ network share for lateral movement.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Ryuk can remotely create a scheduled task to execute itself on a system.5 |
| enterprise | T1489 | Service Stop | Ryuk has called kill.bat for stopping services, disabling services and killing processes.3 |
| enterprise | T1082 | System Information Discovery | Ryuk has called GetLogicalDrives to emumerate all mounted drives, and GetDriveTypeW to determine the drive type.3 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | Ryuk has been observed to query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and the value InstallLanguage. If the machine has the value 0x419 (Russian), 0x422 (Ukrainian), or 0x423 (Belarusian), it stops execution.3 |
| enterprise | T1016 | System Network Configuration Discovery | Ryuk has called GetIpNetTable in attempt to identify all mounted drives and hosts that have Address Resolution Protocol (ARP) entries.31 |
| enterprise | T1205 | Traffic Signaling | Ryuk has used Wake-on-Lan to power on turned off systems for lateral movement.1 |
| enterprise | T1078 | Valid Accounts | - |
| enterprise | T1078.002 | Domain Accounts | Ryuk can use stolen domain admin accounts to move laterally within a victim domain.5 |
| ics | T0828 | Loss of Productivity and Revenue | An enterprise resource planning (ERP) manufacturing server was lost to the Ryuk attack. The manufacturing process had to rely on paper and existing orders to keep the shop floor open. 7 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0037 | FIN6 | 4 |
| G0102 | Wizard Spider | 38910141213116 |
References
-
Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021. ↩↩↩
-
Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020. ↩↩
-
Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. ↩↩
-
ANSSI. (2021, February 25). RYUK RANSOMWARE. Retrieved March 29, 2021. ↩↩↩↩
-
Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. ↩↩↩
-
Kelly Jackson Higgins How a Manufacturing Firm Recovered from a Devastating Ransomware Attack Retrieved. 2019/11/03 ↩
-
Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020. ↩
-
DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. ↩
-
Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. ↩
-
Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020. ↩
-
The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. ↩
-
The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020. ↩
-
The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. ↩