Videos

Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.

Ryuk Ransomware (<Original Filename>.<Original Extension> / RyukReadMe.txt)

  • Distribution Method : Unknown
 
  • MD5 : 5ac0f050f93f86e69026faea1fbb4450
 
  • Major Detection Name : Trojan.Ransom.Ryuk.A (BitDefender), Ransom_RYUK.THHBAAH (Trend Micro)
 
  • Encrypted File Pattern : <Original Filename>.<Original Extension>
 
  • Malicious File Creation Location :
     - C:\Users\Public\window.bat
     - C:\Users\Public\<Random>.exe
     - C:\Users\Public\sys
 
  • Payment Instruction File : RyukReadMe.txt
 
  • Major Characteristics :
     - Offline Encryption
     - Hermes Ransomware series
     - Encrypting files through code injection into various running processes (C:\Windows\System32\ctfmon.exe etc.)
     - Block processes execution (agntsvc.exe, dbeng50.exe, encsvc.exe, infopath.exe, mspub.exe, zoolz.exe etc.)
     - Stop multi services (Acronis VSS Provider, Antivirus, BackupExecAgentAccelerator, Enterprise Client Service, MBAMService, Sophos AutoUpdate Service etc.)
     - Disable system restore (vssadmin Delete Shadows /all /quiet, vssadmin resize shadowstorage /for=<Drive Letter>: /on=<Drive Letter>: /maxsize=401MB, vssadmin resize shadowstorage /for=<Drive Letter>: /on=<Drive Letter>: /maxsize=unbounded)
     - Dlete backup files (*.VHD, *.bac, *.bak, *.wbcat, *.bkf, Backup*.*, backup*.*, *.set, *.win, *.dsk)

List

위로