Ryuk

Malware Profile Updated 20 days ago
Download STIX
Preview STIX
Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbot, Emotet, and Cobalt Strike. In 2019, the majority of ransomware investigations were linked to an initial TrickBot infection which subsequently led to a Ryuk ransomware attack. This notorious sequence of events often involved Emotet being used to deliver Trickbot malware, which then paved the way for Ryuk to be deployed. The deployment of Ryuk ransomware typically completed the attack within an average of 26.22 days (624 hours) after access was transferred to ransomware operators. Unlicensed versions of the tool connected to Ryuk have also been implicated in multiple malware and ransomware investigations, including those into Trickbot and Conti. Over the past few years, Ryuk's popularity among threat actors has surged, with groups like APT29, FIN7, and UNC1878 (the MITRE tracking identifier for a group that monetizes network access via Ryuk deployment) all utilizing it. From 2018 until February 2022, Ryuk, along with its successor Conti, dominated the ransomware scene. Post-Ryuk leadership saw the emergence of Zeon, operating as elite pentesters for both Akira and LockBit, with the latter being their main focus. The Akira group, having close ties with the Ryuk side of post-Conti, formed a relationship with Zeon, leading to the original pentesters deploying Ryuk in the syndicate's early days. Furthermore, the Akira group expanded its expertise by recruiting Research and Development professionals formerly associated with the Ryuk Ransomware group.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Conti
10
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
Locker Ransomware
1
Locker ransomware, a type of malware, poses significant risks to computer systems and data. Unlike crypto-ransomware which encrypts user data, locker ransomware locks users out of their devices entirely, demanding a ransom payment to restore access without any data encryption. This threat has evolve
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Botnet
Ransom
Cybercrime
Dropper
Extortion
Phishing
Encryption
Payload
Encrypt
Russia
Windows
Bitcoin
Ics
Proxy
Treasury
T1486
russian
Vulnerability
Uk
Trojan
Health
Government
Police
Lateral Move...
exploitation
Evasive
Beacon
Reconnaissance
Tool
Crypting
Exploits
Linux
British
Ivanti
Nca
Crowdstrike
Fireeye
Microsoft
Laundering
Cobalt Strike
AdFind
State Sponso...
Backdoor
flaw
Locker
Bot
RaaS
Downloader
Exploit
Ddos
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TrickBotUnspecified
11
TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
EmotetUnspecified
6
Emotet is a highly dangerous and insidious malware that has resurfaced with increased activity this summer. Originally distributed via email attachments, it infiltrates systems often without the user's knowledge, forming botnets under the control of criminals for large-scale attacks. Once infected,
WannaCryUnspecified
4
WannaCry is a type of malware, specifically ransomware, that caused significant global disruption in 2017. It exploited Windows SMBv1 Remote Code Execution Vulnerabilities (CVE-2017-0144, CVE-2017-0145, CVE-2017-0143), which allowed it to spread rapidly and infect over 200,000 machines across more t
MazeUnspecified
4
Maze is a type of malware, specifically ransomware, that gained notoriety in 2019 for its double extortion tactic. This malicious software infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Maze w
LockbitUnspecified
4
LockBit is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. It can enter your system through various channels such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
REvilUnspecified
3
REvil is a notorious form of malware, specifically ransomware, that infiltrates systems to disrupt operations and steal data. The ransomware operates on a Ransomware as a Service (RaaS) model, which gained traction in 2020. In this model, REvil, like other first-stage malware such as Dridex and Goot
BlackbastaUnspecified
3
BlackBasta is a malicious software (malware) known for its disruptive and damaging effects on computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even ho
DyreUnspecified
2
Dyre, also known as Dyreza or Dyzap, is a banking Trojan that was initially designed to monitor online banking transactions with the aim of stealing passwords, money, or both. It first emerged in 2009 and 2010, targeting victim bank accounts held at various U.S.-based financial institutions. These i
DyrezaUnspecified
2
Dyreza, also known as Dyre, is a sophisticated banking trojan malware that has garnered significant attention over the past several years. This malicious software is designed to exploit and damage computer systems, often infecting them through suspicious downloads, emails, or websites without user k
LockerGogaUnspecified
2
LockerGoga is a type of malware, specifically ransomware, known for its disruptive capabilities. It was notably deployed at Norsk Hydro in March 2019, causing significant operational disruption. LockerGoga differentiates itself from other types of ransomware such as EKANS due to its destructive natu
BazarloaderUnspecified
2
BazarLoader is a form of malware that has been utilized extensively by ITG23, a cybercriminal group. This harmful software infiltrates systems via suspicious downloads, emails, or websites, potentially stealing personal information, disrupting operations, or holding data for ransom. ITG23 has used B
Maze RansomwareUnspecified
2
Maze ransomware is a type of malware that emerged in 2019, employing a double extortion tactic to wreak havoc on its victims. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for
Emotet, TrickbotUnspecified
2
None
BabukUnspecified
2
Babuk is a type of malware, specifically ransomware, which is designed to infiltrate systems and hold data hostage for ransom. It can be delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, Babuk can disrupt operations and steal perso
HiveUnspecified
2
Hive is a malicious software, or malware, that infiltrates systems to exploit and damage them. This malware has been associated with Volt Typhoon, who exfiltrated NTDS.dit and SYSTEM registry hive to crack passwords offline. The Hive operation was primarily involved in port scanning, credential thef
AkiraUnspecified
2
Akira is a malicious software, or malware, specifically a type of ransomware known for its disruptive and damaging effects. First surfacing in late 2023, it has continued to wreak havoc on various entities, including corporations and industries. This ransomware infects systems through suspicious dow
DiavolUnspecified
2
Diavol is a type of malware, specifically ransomware, that infiltrates systems to exploit and cause damage. It can infect systems through various channels such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Diavol can steal personal information, disrupt ope
ClopUnspecified
2
Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o
StuxnetUnspecified
1
Stuxnet, a notorious malware discovered in 2010, is one of the most infamous Advanced Persistent Threat (APT) attacks in history. This military-grade cyberweapon was co-developed by the United States and Israel to specifically target Iran's nuclear enrichment facility at Natanz. The Stuxnet worm, a
BazarUnspecified
1
"Bazar" is a form of malware, a malicious software designed to exploit and damage computer systems. This harmful program can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once it gains access, it can steal personal information, disrupt operations, o
BitPaymerUnspecified
1
BitPaymer is a type of malware that operates as ransomware, encrypting files and demanding payment for their release. It was operated by the GOLD DRAKE threat group and was later reworked and renamed DoppelPaymer by the GOLD HERON threat group. As part of the Ransomware as a Service (RaaS) model tha
PysaUnspecified
1
Pysa is a type of ransomware, a malicious software designed to exploit and damage computer systems by encrypting data and demanding ransom for its decryption. The Pysa ransomware group, known for its organizational hierarchy that includes senior executives, system admins, developers, recruiters, HR,
Pay2KeyUnspecified
1
Pay2Key is a form of malware, specifically ransomware, designed to infiltrate computer systems, often without the user's knowledge. This malicious software encrypts data and holds it hostage for ransom, often causing significant disruption to operations and potentially leading to the theft of sensit
EKANSUnspecified
1
EKANS, also known as SNAKE (the word EKANS spelled backwards), is a significant strain of malware that emerged in mid-December 2019. It was one of the more concerning ransomware strains observed in 2020, accounting for 6% of all ransomware attacks monitored by IBM Security X-Force in that year. The
MegaCortexUnspecified
1
MegaCortex is a type of malware known for its harmful effects on computer systems and devices. It was identified by Dragos, a cybersecurity firm, as having a relationship with another ransomware called EKANS. Both MegaCortex and EKANS have specific characteristics that pose unique risks to industria
BlackEnergyUnspecified
1
BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a
EgregorUnspecified
1
Egregor is a variant of the Sekhmet ransomware and operates as Ransomware-as-a-Service (RaaS). It emerged in 2020, suspected to be from former Maze affiliates. Known for its double extortion tactics, Egregor publicly shames its victims by leaking sensitive data if the ransom isn't paid. In one notab
CobaltstrikeUnspecified
1
CobaltStrike is a notorious form of malware that has been used in conjunction with other malicious software including IcedID, Qakbot, BazarLoader, Conti, Gozi, Trickbot, Quantum, Emotet, and Royal Ransomware. This malware is typically delivered through suspicious downloads, emails, or websites, ofte
NotPetyaUnspecified
1
NotPetya is a notorious malware that was unleashed in 2017, primarily targeting Ukraine but eventually impacting systems worldwide. This malicious software, which initially appeared to be ransomware, was later revealed to be data destructive malware, causing widespread disruption rather than seeking
TRITONUnspecified
1
Triton is a sophisticated malware that has been historically used to target the energy sector. It was notably used in 2017 by the Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIkhM) to attack a Middle East petrochemical facility. The malware, also known as Trisis and
WannarenUnspecified
1
None
BazarbackdoorUnspecified
1
BazarBackdoor is a type of malware developed by ITG23, first identified in April 2020. It is commonly distributed via contact forms on corporate websites, bypassing regular phishing emails, which makes it harder to detect. The malware is often associated with BazarLoader, both of which were used ext
Team9Unspecified
1
Team9 is a malware, short for malicious software, that poses significant threats to computer systems and data. The malware's operations start with the Team9 loader, which upon examination shows a XOR key of the infection date in the YYYYMMDD format (ISO 8601). This loader downloads a XOR-encoded pay
Bazar BackdoorUnspecified
1
The Bazar Backdoor is a malicious software (malware) that infiltrates systems through suspicious downloads, emails, or websites. Named after its use of EmerDNS blockchain domains, the Bazar loader and Bazar backdoor are associated with the threat actors behind Trickbot, Anchor malware, and other cyb
Royal RansomwareUnspecified
1
Royal Ransomware is a type of malware that has been causing significant disruptions in various sectors, particularly in the United States. Originating from the now-defunct Conti ransomware operation, Royal Ransomware was notorious for its multi-threaded encryption and ability to kill processes withi
LockfileUnspecified
1
LockFile is a type of malicious software, or malware, that has been linked to ransomware activity. This harmful program can infiltrate your system via suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold your data for ransom. Analysis of the PlugX
Revil/sodinokibiUnspecified
1
REvil/Sodinokibi is a type of malware, specifically ransomware, first identified on September 24, 2019. This malicious software is designed to infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information,
Ragnar LockerUnspecified
1
Ragnar Locker is a type of malware, specifically a ransomware, that has been designed to infiltrate computer systems, often without the user's knowledge. It can enter systems through suspicious downloads, emails, or websites and once inside, it has the capability to steal personal information, disru
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Wizard SpiderUnspecified
3
Wizard Spider, also known as ITG23, DEV-0193, Trickbot Group, Fin12, and Grimspider, is a significant threat actor in the cybercrime landscape. This group has been continually analyzed by IBM Security X-Force researchers for its use of several crypters and is credited with creating the notorious, ev
AlphvUnspecified
3
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
DarkSideUnspecified
3
DarkSide is a notable threat actor that emerged in the cybersecurity landscape with its advanced ransomware operations. In 2021, the group gained significant attention for its attack on the United States' largest oil pipeline, Colonial Pipeline, causing a temporary halt to all operations for three d
SodinokibiUnspecified
3
Sodinokibi, also known as REvil, is a significant threat actor first identified in April 2019. This ransomware family operates as a Ransomware-as-a-Service (RaaS) and has been responsible for one in three ransomware incidents responded to by IBM Security X-Force in 2020. The Sodinokibi ransomware st
FIN7Unspecified
3
FIN7, a notorious threat actor group known for its malicious activities, has recently been identified as targeting a large U.S. carmaker with phishing attacks. This group, which has previously operated behind fake cybersecurity companies such as Combi Security and Bastion Secure to recruit security
BlackmatterUnspecified
2
BlackMatter is a recognized threat actor in the cybersecurity industry, notorious for its malicious activities and the execution of ransomware attacks. The group initially operated as DarkSide, responsible for the high-profile Colonial Pipeline attack in May 2021, which led to significant attention
UNC1878Unspecified
2
UNC1878, tracked by Mandiant and identified by MITRE, is a notable threat actor involved in various cybercrime enterprises. This group is financially motivated and primarily monetizes network access via the deployment of Ryuk ransomware. A significant proportion of post-compromise activity linked to
ZeonUnspecified
2
Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as B
Conti TeamUnspecified
2
The Conti team, a threat actor group known for its malicious activities in the cyber realm, has seen significant developments and transformations over recent years. In September 2022, a splinter group from Conti Team One resurfaced under the name Royal Ransomware, conducting callback phishing attack
Gold UlrickUnspecified
1
GOLD ULRICK, also known as ITG23, is a threat actor identified for its aggressive and unrestricted operations in the cybersecurity landscape. The group has shown no hesitation in targeting healthcare organizations with Conti ransomware, a malicious software designed to block access to a computer sys
Conti Ransomware GangUnspecified
1
The Conti ransomware gang, a notorious threat actor in the cybersecurity landscape, has been responsible for extorting at least $180 million globally. The gang is infamous for the HSE cyberattack in 2021 and has been sanctioned by the National Crime Agency (NCA). In late 2021, experts suggested that
ShadowsyndicateUnspecified
1
ShadowSyndicate, a threat actor that emerged in 2019, has been implicated in multiple ransomware operations according to cybersecurity firm Group-IB. The group is known for its affiliations with various ransomware groups and programs, and has been involved in several ransomware projects such as JSWO
APT29Unspecified
1
APT29, also known as Cozy Bear, SVR group, BlueBravo, Nobelium, Midnight Blizzard, and The Dukes, is a threat actor linked to Russia. This group is notorious for its malicious activities in the cybersecurity realm, executing actions with harmful intent. It has been associated with several high-profi
ITG23Unspecified
1
ITG23, also known as the Trickbot/Conti syndicate, is a significant threat actor that has been active since 2016 in the East European cybercrime arena. This group is renowned for its use of Reflective DLL Injection code in many of its crypters, with the presence of these crypters on a file sample be
Trickbot GroupUnspecified
1
The Trickbot Group, also known as ITG23, Wizard Spider, and DEV-0193, is a threat actor group notorious for its malicious activities. The group has been consistently analyzed by IBM Security X-Force researchers due to their development and use of several crypters. In the fall of 2020, efforts were m
FIN12Unspecified
1
FIN12, also known as DEV-0237 and Pistachio Tempest, is a threat actor group notorious for its malicious cyber activities. Tracked by Microsoft, this group is primarily engaged in the distribution of Hive, Conti, and Ryuk ransomware. The group has been responsible for several high-profile ransomware
Trickbot/conti SyndicateUnspecified
1
The Trickbot/Conti syndicate, also known as ITG23, is a threat actor group associated with various malicious activities. Since late February 2023, this group has been linked to Domino Backdoor campaigns utilizing the Dave Loader, a tool used to load malware onto targeted systems. The IBM Security X-
ITG14Unspecified
1
ITG14, a threat actor identified in the cybersecurity industry, has recently been linked to malicious activities involving the Domino Backdoor. X-Force researchers have found substantial evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. The Domino Backdoor not only shares signifi
Lazarus GroupUnspecified
1
The Lazarus Group, a notorious threat actor believed to be linked to North Korea, has been attributed with a series of significant cyber-attacks over the past few years. The group's malicious activities include the exploitation of digital infrastructure, stealing cryptocurrency, and executing large-
Evil CorpUnspecified
1
Evil Corp, a threat actor group based in Russia, has been identified as a significant cybercrime entity responsible for the execution of malicious actions. The alleged leader of this group is Maksim Yakubets, who is notably associated with Dridex malware operations. The U.S. Treasury imposed sanctio
TEMP.MixMasterUnspecified
1
TEMP.MixMaster, a notable threat actor in the cybersecurity landscape, is associated with the deployment of Ryuk ransomware following TrickBot malware infections. This activity has been tracked by FireEye and has been linked to financially-motivated cyber attacks. The modus operandi of TEMP.MixMaste
APT38Unspecified
1
APT38, also known as TA444, BlueNoroff, BlackAlicanto, Coperenicum, Sapphire Sleet, Stardust Chollima, and TraderTraitor, is a threat actor group suspected to be backed by the North Korean regime. The group has been active in operations across over 16 organizations in at least 11 countries, primaril
FIN6Unspecified
1
FIN6, also known as ITG08, Skelaton Spider, and MageCart, is a notorious threat actor that has been implicated in various cybercrime activities. The group gained notoriety for stealing credit cards through point-of-sale (POS) systems in retail and hospitality establishments, most notably in the Home
Grim SpiderUnspecified
1
GRIM SPIDER is a malicious threat actor, along with INDRIK SPIDER and BOSS SPIDER, that has been continuously operating in the cybersecurity landscape. These entities are responsible for executing actions with harmful intent, which could range from data breaches to deploying ransomware. The cybersec
8baseUnspecified
1
8base, a significant threat actor in the cybersecurity landscape, has been active between April 2022 and May 2023. This group, while not new, has recently increased its visibility with the activation of a public leak site used to pressure victims into paying ransoms. In the last month alone, 8base o
HavexUnspecified
1
Havex, also known as Dragonfly or the Energetic Bear RAT, is a prominent threat actor in the cybersecurity landscape. First spotted in 2013, Havex was part of a broad industrial espionage campaign that specifically targeted Supervisory Control and Data Acquisition (SCADA) and Industrial Control Syst
GandcrabUnspecified
1
GandCrab, a threat actor, is known for its malicious activities involving ransomware attacks. Originating from Russian origins and evolving from Team Truniger, a former GandCrab affiliate, the group has been linked to numerous ransomware variants including Bad Rabbit, LockBit 2.0, STOP/DJVU, and REv
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Bazarloader/bazarbackdoorUnspecified
1
None
Source Document References
Information about the Ryuk Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
20 days ago
Operation Morpheus took down 593 Cobalt Strike servers used by threat actors
InfoSecurity-magazine
2 months ago
#Infosec2024: Decoding SentinelOne’s AI Threat Hunting Assistant
CERT-EU
4 months ago
Ransomware Talent Surges to Akira After LockBit's Demise
CERT-EU
4 months ago
LockBit takedown surges Akira Ransomware Attacks - Cybersecurity Insiders
BankInfoSecurity
4 months ago
Ransomware Talent Surges to Akira After LockBit's Demise
CERT-EU
4 months ago
British authorities have never detected a breach of ransomware sanctions — but is that good or bad news? | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
5 months ago
American Fortune 500 Company Hit by Ransomware Cyberattack
CERT-EU
5 months ago
Operation Cronos: Who Are the LockBit Admins
Securityaffairs
6 months ago
A TrickBot malware developer sentenced to 64 months in prison
InfoSecurity-magazine
6 months ago
Ukraine Arrests Hacker for Assisting Russian Missile Strikes
CERT-EU
6 months ago
Examples of Past and Current Attacks | #ransomware | #cybercrime | National Cyber Security Consulting
MITRE
7 months ago
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
MITRE
7 months ago
Trickbot Rising — Gang Doubles Down on Infection Efforts to Amass Network Footholds
MITRE
7 months ago
The many lives of BlackCat ransomware | Microsoft Security Blog
CERT-EU
7 months ago
The end of ransomware payments: how businesses fit into the fight | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
7 months ago
Akira Ransomware Attack: Two Alleged Victim In Cyber Breach
CERT-EU
8 months ago
Industry-leading protection against remote ransomware attacks – Sophos News | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
InfoSecurity-magazine
8 months ago
Russian Programmer Pleads Guilty to Trickbot Conspiracy
CERT-EU
8 months ago
TrickBot malware dev pleads guilty, faces 35 years in prison
CERT-EU
8 months ago
TrickBot Developer Pleads Guilty in US Court