Ryuk

Malware updated 3 months ago (2024-08-14T09:34:33.652Z)
Download STIX
Preview STIX
Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware investigations were linked to an initial TrickBot infection, resulting in a Ryuk ransomware attack. The group has extensively used Emotet to deliver Trickbot malware, often leading to a sequence of Emotet -> Trickbot -> Ryuk ransomware attacks. Once ITG23 gained access to a system, they were able to deploy Ryuk ransomware and complete the attack within an average of 26.22 days (624 hours). The executed script used PsExec and previously stolen hard-coded credentials to copy the Ryuk binary to each host passed as input from the noted .txt files. A new service was then created and started to launch the Ryuk binary. Unlicensed versions of this tool have been connected to multiple malware and ransomware investigations, including RYUK, Trickbot, and Conti. From 2018 until February 2022, Ryuk and its successor Conti dominated the ransomware scene. UNC1878, tracked by MITRE, is a threat group that monetizes network access via the deployment of Ryuk ransomware. Post-Ryuk leadership indicates that Zeon, formerly Conti Team One, operates as a group of elite pentesters for both Akira and LockBit, with a primary focus on the latter. The Akira group appears to have close ties with the Ryuk side of post-Conti, leading to a relationship with Zeon, including Akira's original pentesters deploying Ryuk in the syndicate's early days. The Akira group has expanded its expertise by recruiting Research and Development professionals formerly associated with the Ryuk Ransomware group.
Description last updated: 2024-08-14T09:15:56.989Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Conti is a possible alias for Ryuk. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra
10
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Botnet
Ransom
Cybercrime
Extortion
Dropper
Windows
Phishing
Encryption
Bitcoin
Payload
Russia
Encrypt
russian
Trojan
Proxy
T1486
Uk
Treasury
Ics
Vulnerability
Tool
Credentials
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The TrickBot Malware is associated with Ryuk. TrickBot is a notorious malware developed by cybercriminals to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. This malicious software can steal personal information, disrupt operations, or even hold data hostage for ransom. Vladimir Dunaev,Unspecified
11
The Emotet Malware is associated with Ryuk. Emotet is a notorious malware, short for malicious software, that is designed to exploit and damage computers or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user, with the potential to steal personal information, disrupt operations, Unspecified
6
The WannaCry Malware is associated with Ryuk. WannaCry is a type of malware, specifically ransomware, that made headlines in 2017 as one of the most devastating cyberattacks in recent history. The WannaCry ransomware exploited vulnerabilities in Windows' Server Message Block protocol (SMBv1), specifically CVE-2017-0144, CVE-2017-0145, and CVE-2Unspecified
4
The Lockbit Malware is associated with Ryuk. LockBit is a malicious software, or malware, known for its damaging and exploitative functions. It infiltrates systems via dubious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or hold data hostage for ransom. The LockBit Unspecified
4
The Maze Malware is associated with Ryuk. Maze is a form of malicious software, or malware, that pioneered a novel double-extortion tactic in the cyber threat landscape. Its modus operandi involves stealing victims' files before encrypting them, thereby enabling the threat actors to threaten both the disruption of operations and the releaseUnspecified
4
The Blackbasta Malware is associated with Ryuk. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relationUnspecified
3
The REvil Malware is associated with Ryuk. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. ThUnspecified
3
The malware Emotet, Trickbot is associated with Ryuk. Unspecified
2
The Hive Malware is associated with Ryuk. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostagUnspecified
2
The Diavol Malware is associated with Ryuk. Diavol is a type of malware, specifically ransomware, that infiltrates systems to exploit and cause damage. It can infect systems through various channels such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Diavol can steal personal information, disrupt opeUnspecified
2
The LockerGoga Malware is associated with Ryuk. LockerGoga is a type of malware, specifically ransomware, that infiltrates computer systems and holds data hostage until a ransom is paid. This malicious software was notably deployed in an attack against Norsk Hydro in March 2019. The malware was distributed by the threat group FIN6, which traditioUnspecified
2
The Akira Malware is associated with Ryuk. Akira is a potent ransomware that has been active since 2023, known for its aggressive encryption tactics and swift deployment. This malware, which brings a unique '80s aesthetic to the dark web, has quickly risen in prominence within the cybercrime landscape. It has targeted hundreds of victims gloUnspecified
2
The Babuk Malware is associated with Ryuk. Babuk is a form of malware, specifically ransomware, that infiltrates computer systems and encrypts files, rendering them inaccessible to the user. It typically infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operatioUnspecified
2
The Maze Ransomware Malware is associated with Ryuk. Maze ransomware is a type of malware that emerged in 2019, employing a double extortion tactic to wreak havoc on its victims. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage forUnspecified
2
The Bazarloader Malware is associated with Ryuk. BazarLoader is a type of malware developed by the TrickBot group, primarily used to gain initial access to a victim's infrastructure in ransomware attacks. This malware has been associated with various threat groups, including ITG23, which has used BazarLoader alongside other malware like Trickbot aUnspecified
2
The Clop Malware is associated with Ryuk. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitinUnspecified
2
The Dyre Malware is associated with Ryuk. Dyre, also known as Dyreza or Dyzap, is a banking Trojan that was initially designed to monitor online banking transactions with the aim of stealing passwords, money, or both. It first emerged in 2009 and 2010, targeting victim bank accounts held at various U.S.-based financial institutions. These iUnspecified
2
The Dyreza Malware is associated with Ryuk. Dyreza, also known as Dyre, is a sophisticated banking trojan malware that has garnered significant attention over the past several years. This malicious software is designed to exploit and damage computer systems, often infecting them through suspicious downloads, emails, or websites without user kUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sodinokibi Threat Actor is associated with Ryuk. Sodinokibi, also known as REvil, is a highly active and impactful threat actor first identified in April 2019. Operating as a ransomware-as-a-service (RaaS), this group has been responsible for a significant proportion of global ransomware incidents. In 2020, Sodinokibi ransomware attacks accounted Unspecified
3
The Alphv Threat Actor is associated with Ryuk. Alphv, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. Originating from Russia, this cybercriminal group has been involved in multiple high-profile ransomware attacks, specifically targeting healthcare providers. They gained significant attention after stealing 5TB Unspecified
3
The DarkSide Threat Actor is associated with Ryuk. DarkSide is a threat actor known for its malicious activities, primarily in the realm of ransomware attacks. One of their most notable exploits occurred on May 7, 2021, when they targeted Colonial Pipeline Co., a major player in the U.S. energy sector. The attack disrupted the gasoline supply acrossUnspecified
3
The FIN7 Threat Actor is associated with Ryuk. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global Unspecified
3
The Wizard Spider Threat Actor is associated with Ryuk. Wizard Spider, also known as ITG23, DEV-0193, Trickbot Group, Fin12, and Grimspider, is a prominent cybercrime group. As per IBM Security X-Force's research, this threat actor is responsible for developing several crypters and has been expanding the number and variety of channels it uses to distribuUnspecified
3
The Conti Team Threat Actor is associated with Ryuk. The Conti team, a threat actor group known for its malicious activities in the cyber realm, has seen significant developments and transformations over recent years. In September 2022, a splinter group from Conti Team One resurfaced under the name Royal Ransomware, conducting callback phishing attackUnspecified
2
The UNC1878 Threat Actor is associated with Ryuk. UNC1878, tracked by Mandiant and identified by MITRE, is a notable threat actor involved in various cybercrime enterprises. This group is financially motivated and primarily monetizes network access via the deployment of Ryuk ransomware. A significant proportion of post-compromise activity linked toUnspecified
2
The Blackmatter Threat Actor is associated with Ryuk. BlackMatter, a threat actor in the cybersecurity realm, is known for its malicious activities and has been linked to several ransomware strains. The group emerged as a successor to the DarkSide ransomware, which was responsible for the high-profile attack on the Colonial Pipeline in May 2021. HoweveUnspecified
2
The Zeon Threat Actor is associated with Ryuk. Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as BUnspecified
2
Source Document References
Information about the Ryuk Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
5 months ago
InfoSecurity-magazine
6 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
BankInfoSecurity
8 months ago
CERT-EU
8 months ago
CERT-EU
9 months ago
CERT-EU
9 months ago
Securityaffairs
10 months ago
InfoSecurity-magazine
10 months ago
CERT-EU
10 months ago
MITRE
a year ago
MITRE
a year ago
MITRE
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago