Skip to content

S0446 Ryuk

Ryuk is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. Ryuk shares code similarities with Hermes ransomware.324

Item Value
ID S0446
Associated Names
Type MALWARE
Version 1.3
Created 13 May 2020
Last Modified 24 May 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation Ryuk has attempted to adjust its token privileges to have the SeDebugPrivilege.3
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Ryuk has used the Windows command line to create a Registry entry under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to establish persistence.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Ryuk has used cmd.exe to create a Registry entry to establish persistence.3
enterprise T1486 Data Encrypted for Impact Ryuk has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.36
enterprise T1083 File and Directory Discovery Ryuk has enumerated files and folders on all mounted drives.3
enterprise T1222 File and Directory Permissions Modification -
enterprise T1222.001 Windows File and Directory Permissions Modification Ryuk can launch icacls /grant Everyone:F /T /C /Q to delete every access-based restrictions on files and directories.5
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Ryuk has stopped services related to anti-virus.2
enterprise T1490 Inhibit System Recovery Ryuk has used vssadmin Delete Shadows /all /quiet to to delete volume shadow copies and vssadmin resize shadowstorage to force deletion of shadow copies created by third-party applications.3
enterprise T1036 Masquerading Ryuk can create .dll files that actually contain a Rich Text File format document.5
enterprise T1036.005 Match Legitimate Name or Location Ryuk has constructed legitimate appearing installation folder paths by calling GetWindowsDirectoryW and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as C:\Users\Public.3
enterprise T1106 Native API Ryuk has used multiple native APIs including ShellExecuteW to run executables,GetWindowsDirectoryW to create folders, and VirtualAlloc, WriteProcessMemory, and CreateRemoteThread for process injection.3
enterprise T1027 Obfuscated Files or Information Ryuk can use anti-disassembly and code transformation obfuscation techniques.6
enterprise T1057 Process Discovery Ryuk has called CreateToolhelp32Snapshot to enumerate all running processes.3
enterprise T1055 Process Injection Ryuk has injected itself into remote processes to encrypt files using a combination of VirtualAlloc, WriteProcessMemory, and CreateRemoteThread.3
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Ryuk has used the C$ network share for lateral movement.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Ryuk can remotely create a scheduled task to execute itself on a system.5
enterprise T1489 Service Stop Ryuk has called kill.bat for stopping services, disabling services and killing processes.3
enterprise T1082 System Information Discovery Ryuk has called GetLogicalDrives to emumerate all mounted drives, and GetDriveTypeW to determine the drive type.3
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery Ryuk has been observed to query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and the value InstallLanguage. If the machine has the value 0x419 (Russian), 0x422 (Ukrainian), or 0x423 (Belarusian), it stops execution.3
enterprise T1016 System Network Configuration Discovery Ryuk has called GetIpNetTable in attempt to identify all mounted drives and hosts that have Address Resolution Protocol (ARP) entries.31
enterprise T1205 Traffic Signaling Ryuk has used Wake-on-Lan to power on turned off systems for lateral movement.1
enterprise T1078 Valid Accounts -
enterprise T1078.002 Domain Accounts Ryuk can use stolen domain admin accounts to move laterally within a victim domain.5
ics T0828 Loss of Productivity and Revenue An enterprise resource planning (ERP) manufacturing server was lost to the Ryuk attack. The manufacturing process had to rely on paper and existing orders to keep the shop floor open. 7

Groups That Use This Software

ID Name References
G0037 FIN6 4
G0102 Wizard Spider 38910141213116

References


  1. Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021. 

  2. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020. 

  3. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. 

  4. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. 

  5. ANSSI. (2021, February 25). RYUK RANSOMWARE. Retrieved March 29, 2021. 

  6. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. 

  7. Kelly Jackson Higgins How a Manufacturing Firm Recovered from a Devastating Ransomware Attack Retrieved. 2019/11/03  

  8. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020. 

  9. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. 

  10. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. 

  11. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020. 

  12. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. 

  13. The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020. 

  14. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.