Ryuk

Malware updated 2 months ago (2024-08-14T09:34:33.652Z)
Download STIX
Preview STIX
Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware investigations were linked to an initial TrickBot infection, resulting in a Ryuk ransomware attack. The group has extensively used Emotet to deliver Trickbot malware, often leading to a sequence of Emotet -> Trickbot -> Ryuk ransomware attacks. Once ITG23 gained access to a system, they were able to deploy Ryuk ransomware and complete the attack within an average of 26.22 days (624 hours). The executed script used PsExec and previously stolen hard-coded credentials to copy the Ryuk binary to each host passed as input from the noted .txt files. A new service was then created and started to launch the Ryuk binary. Unlicensed versions of this tool have been connected to multiple malware and ransomware investigations, including RYUK, Trickbot, and Conti. From 2018 until February 2022, Ryuk and its successor Conti dominated the ransomware scene. UNC1878, tracked by MITRE, is a threat group that monetizes network access via the deployment of Ryuk ransomware. Post-Ryuk leadership indicates that Zeon, formerly Conti Team One, operates as a group of elite pentesters for both Akira and LockBit, with a primary focus on the latter. The Akira group appears to have close ties with the Ryuk side of post-Conti, leading to a relationship with Zeon, including Akira's original pentesters deploying Ryuk in the syndicate's early days. The Akira group has expanded its expertise by recruiting Research and Development professionals formerly associated with the Ryuk Ransomware group.
Description last updated: 2024-08-14T09:15:56.989Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Conti is a possible alias for Ryuk. Conti is a notorious type of malware, specifically ransomware, that infiltrates computer systems to steal data and disrupt operations. The malicious software often spreads through suspicious downloads, emails, or websites, and once inside, it can hold data hostage for ransom. The Conti ransomware op
10
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Botnet
Ransom
Cybercrime
Extortion
Dropper
Windows
Phishing
Encryption
Bitcoin
Payload
Russia
Encrypt
russian
Trojan
Proxy
T1486
Uk
Treasury
Ics
Vulnerability
Clop
Tool
Credentials
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The TrickBot Malware is associated with Ryuk. TrickBot is a notorious malware that has been used extensively by cybercriminals to exploit and damage computer systems. It operates as a crimeware-as-a-service platform, infecting systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steaUnspecified
11
The Emotet Malware is associated with Ryuk. Emotet is a particularly dangerous and insidious type of malware that has reemerged as a significant threat. This malicious software, which infects systems through suspicious downloads, emails, or websites, can steal personal information, disrupt operations, or even hold data for ransom. Emotet-infeUnspecified
6
The WannaCry Malware is associated with Ryuk. WannaCry, a potent malware, emerged as one of the most destructive cyberattacks in recent history when it struck in May 2017. Leveraging Windows SMBv1 Remote Code Execution vulnerabilities (CVE-2017-0144, CVE-2017-0145, and CVE-2017-0143), WannaCry rapidly spread across systems worldwide, encryptingUnspecified
4
The Lockbit Malware is associated with Ryuk. LockBit is a notorious malware that operates on a ransomware-as-a-service model, which has been responsible for significant cyber attacks across the globe. One of its most high-profile targets was Boeing, from whom the LockBit gang claimed to have stolen data. This incident not only disrupted operatUnspecified
4
The Maze Malware is associated with Ryuk. Maze is a form of malicious software, or malware, that pioneered a novel double-extortion tactic in the cyber threat landscape. Its modus operandi involves stealing victims' files before encrypting them, thereby enabling the threat actors to threaten both the disruption of operations and the releaseUnspecified
4
The Blackbasta Malware is associated with Ryuk. BlackBasta is a notorious malware, particularly known for its ransomware attacks. The group behind it has been linked with other harmful software such as IcedID, NetSupport, Gozi, PikaBot, Pushdo, Quantum, Royal, and Nokoyawa. Artifacts and indicators of compromise (IoCs) suggest a possible relationUnspecified
3
The REvil Malware is associated with Ryuk. REvil is a notorious malware, specifically a type of ransomware, that gained prominence in the cybercrime world as part of the Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, establishing relationships between first-stage malwares and subsequent ransomware attacUnspecified
3
The malware Emotet, Trickbot is associated with Ryuk. Unspecified
2
The Hive Malware is associated with Ryuk. Hive is a form of malware, specifically ransomware, that infiltrates computer systems to exploit and damage them. It gained notoriety when it was used by the cybercriminal group Volt Typhoon to exfiltrate NTDS.dit and SYSTEM registry hive data, allowing them to crack passwords offline. This malware Unspecified
2
The Diavol Malware is associated with Ryuk. Diavol is a type of malware, specifically ransomware, that infiltrates systems to exploit and cause damage. It can infect systems through various channels such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Diavol can steal personal information, disrupt opeUnspecified
2
The LockerGoga Malware is associated with Ryuk. LockerGoga is a type of malware, specifically ransomware, that infiltrates computer systems and holds data hostage until a ransom is paid. This malicious software was notably deployed in an attack against Norsk Hydro in March 2019. The malware was distributed by the threat group FIN6, which traditioUnspecified
2
The Akira Malware is associated with Ryuk. Akira is a prominent form of malware, specifically a ransomware that has been causing significant disruptions since its emergence. It has been reported that Akira ransomware affiliates have compromised SSLVPN accounts on SonicWall devices as an initial access vector for their attacks. This comes aftUnspecified
2
The Babuk Malware is associated with Ryuk. Babuk is a form of malware, specifically ransomware, that infiltrates computer systems and encrypts files, rendering them inaccessible to the user. It typically infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operatioUnspecified
2
The Maze Ransomware Malware is associated with Ryuk. Maze ransomware is a type of malware that emerged in 2019, employing a double extortion tactic to wreak havoc on its victims. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage forUnspecified
2
The Bazarloader Malware is associated with Ryuk. BazarLoader is a form of malware that has been utilized extensively by ITG23, a cybercriminal group. This harmful software infiltrates systems via suspicious downloads, emails, or websites, potentially stealing personal information, disrupting operations, or holding data for ransom. ITG23 has used BUnspecified
2
The Dyre Malware is associated with Ryuk. Dyre, also known as Dyreza or Dyzap, is a banking Trojan that was initially designed to monitor online banking transactions with the aim of stealing passwords, money, or both. It first emerged in 2009 and 2010, targeting victim bank accounts held at various U.S.-based financial institutions. These iUnspecified
2
The Dyreza Malware is associated with Ryuk. Dyreza, also known as Dyre, is a sophisticated banking trojan malware that has garnered significant attention over the past several years. This malicious software is designed to exploit and damage computer systems, often infecting them through suspicious downloads, emails, or websites without user kUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sodinokibi Threat Actor is associated with Ryuk. Sodinokibi, also known as REvil, is a significant threat actor first identified in April 2019. This ransomware family operates as a Ransomware-as-a-Service (RaaS) and has been responsible for one in three ransomware incidents responded to by IBM Security X-Force in 2020. The Sodinokibi ransomware stUnspecified
3
The Alphv Threat Actor is associated with Ryuk. AlphV, also known as BlackCat, is a notorious threat actor that has been active since November 2021. This group pioneered the public leaks business model and has been associated with various ransomware families, including Akira, LockBit, Play, and Basta. AlphV gained significant attention for its laUnspecified
3
The DarkSide Threat Actor is associated with Ryuk. DarkSide is a threat actor known for its malicious activities, primarily in the realm of ransomware attacks. One of their most notable exploits occurred on May 7, 2021, when they targeted Colonial Pipeline Co., a major player in the U.S. energy sector. The attack disrupted the gasoline supply acrossUnspecified
3
The FIN7 Threat Actor is associated with Ryuk. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global Unspecified
3
The Wizard Spider Threat Actor is associated with Ryuk. Wizard Spider, also known as ITG23, DEV-0193, Trickbot Group, Fin12, and Grimspider, is a significant threat actor in the cybercrime landscape. This group has been continually analyzed by IBM Security X-Force researchers for its use of several crypters and is credited with creating the notorious, evUnspecified
3
The Conti Team Threat Actor is associated with Ryuk. The Conti team, a threat actor group known for its malicious activities in the cyber realm, has seen significant developments and transformations over recent years. In September 2022, a splinter group from Conti Team One resurfaced under the name Royal Ransomware, conducting callback phishing attackUnspecified
2
The UNC1878 Threat Actor is associated with Ryuk. UNC1878, tracked by Mandiant and identified by MITRE, is a notable threat actor involved in various cybercrime enterprises. This group is financially motivated and primarily monetizes network access via the deployment of Ryuk ransomware. A significant proportion of post-compromise activity linked toUnspecified
2
The Blackmatter Threat Actor is associated with Ryuk. BlackMatter is a recognized threat actor in the cybersecurity industry, notorious for its malicious activities and the execution of ransomware attacks. The group initially operated as DarkSide, responsible for the high-profile Colonial Pipeline attack in May 2021, which led to significant attention Unspecified
2
The Zeon Threat Actor is associated with Ryuk. Zeon, a known threat actor in the cybersecurity landscape, has been linked to several high-profile ransomware attacks. It was instrumental in crypting SVCReady and CargoBay loaders, observed in Quantum and Royal ransomware attacks respectively. Zeon has also employed third-party ransomware such as BUnspecified
2
Source Document References
Information about the Ryuk Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
4 months ago
InfoSecurity-magazine
5 months ago
CERT-EU
7 months ago
CERT-EU
7 months ago
BankInfoSecurity
7 months ago
CERT-EU
7 months ago
CERT-EU
8 months ago
CERT-EU
8 months ago
Securityaffairs
9 months ago
InfoSecurity-magazine
9 months ago
CERT-EU
9 months ago
MITRE
10 months ago
MITRE
10 months ago
MITRE
10 months ago
CERT-EU
10 months ago
CERT-EU
10 months ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
CERT-EU
a year ago