Ransomware Family
Ryuk.
Overview

This ransomware is distributed via spam emails or exploit kits.

When a device is infected, this ransomware will search for and encrypt certain files type, which are usually document and media files. When the encryption is complete, the ransomware will display a ransom message on your screen, or by adding a text file (message) to the affected folders.

Ransomware Note
Your network has been penetrated.

All files on each host in the network have been encrypted with a strong algorithm.

Backups were either encrypted
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.

We exclusively have decryption software for your situation
More than a year ago, world experts recognized the impossibility of deciphering by any means except the oridinal decoder.
No decryption software is available in the public.
Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data.

DO NOT RESET OR SHUTDOWN – files may be damaged.
DO NOT DELETE readme files.

To confirm our honest intentions.Send 2 different random files and you will get it decrypted.
It can be from different computers on your network to be sure that one key decrypts everything.
2 files we unlock for free.

To get info (decrypt your files) contact us at
ibfosontsing[at]protonmail.com
or
ibfosontsing[at]tutanota.com

BTC wallet:
12vsQry1XrPjPCaH8gWzDJeYT7dhTmpcjL

Ryuk
No system is safe
Known emails :

eliasmarco[at]tutanota.com
CamdenScott[at]protonmail.com
AndyMitton[at]protonmail.com
AndyMitton[at]tutanota.com
MelisaPeterman[at]protonmail.com
MelisaPeterman[at]tutanota.com
LindaMccann[at]tutanota.com
LindaMccann[at]protonmail.com
WayneEvanson[at]tutanota.com
WayneEvanson[at]protonmail.com
ibfosontsing[at]tutanota.com
ibfosontsing[at]protonmail.com
Huntingdonu[at]tutanota.com
CharlstonParkwji[at]protonmail.com
Ransomware Extension
.RYK or .rcrypted
Requested Ransom
Payments ranging between 15-35 BTC
Ransomware Decryption Tool
There is no decryption tool available for this ransomwares latest version at this time. However, you can try to search these sites :

https://id-ransomware.malwarehunterteam.com

https://www.nomoreransom.org/crypto-sheriff.php




Ryuk is used exclusively for tailored attacks. In fact, its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers. This, of course, means extensive network mapping, hacking and credential collection is required and takes place prior to each operation.

The dropper of Ryuk is simple and fairly straightforward. It contains 32 and 64 bit modules of the ransomware, embedded one after the other in the dropper’s binary. At the beginning of its execution, the dropper generates a 5-lettered random file name using the srand function and GetTickCount for seed generation. The aforementioned payload files are then written to a directory, depending on the version of Windows on victim’s computer. If the version is Windows XP or Windows 2000, the file is created in the directory “\Documents and Settings\Default User\”, otherwise it is created in “\users\Public\”. If the file creation fails, the dropper attempts to write it in its own directory, using its own name and appending the letter ‘V’ as the last character.

After creating the file, the dropper then checks whether the process is run under Wow64, and writes the suitable payload (32 or 64 bit) depending on the result of the check. Finally, before terminating, the dropper calls ShellExecuteW to execute the Ryuk ransomware payload it has just written.

Upon execution, the Ryuk ransomware conducts a Sleep of several seconds and then checks whether it was executed with an argument. If such was passed, it will use it as a path to a file that is deleted using DeleteFileW. Based on the malware’s dropper code, this argument would be the path to the dropper itself. Following this, the ransomware will kill more than 40 processes and stop more than 180 services by executing taskkill and net stopon a list of predefined service and process names. These services and processes are mostly belonging to antivirus, database, backup and document editing software.

To make sure the malware is executed after reboot, Ryuk uses a straight forward persistence technique, whereby it writes itself to the Run registry key using the following command:
‘reg add /C REG ADD “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “svchos” /t REG_SZ /d’

It will then try to elevate to SeDebugPrivilege so as to have extended capabilities in subsequent actions and prepare for injection by forming an array of structures. Each entry in the array represents a running process in the system and contains the process’ name, PID, and a number which represents the account type of its owner (as outlined in the figure below). After putting the aforementioned process list together, Ryuk will iterate over it and try to inject a code to each process’s address space, as long as its name is not “explorer.exe”, “csrss.exe” or “lsaas.exe”, or is not run by NT AUTHORITY.

Ryuk uses a rather basic injection technique, whereby it first gets a handle on the target process using OpenProcess and allocates a buffer in its address space using VirtualAllocEx. The allocated buffer would have the size of the malware’s image and would be required to be positioned at the same base address.

The malware will then write its current virtual image content into it and create a thread that will carry out some actions, as described in the next section. Note that by writing the virtual image into a requested buffer with a predefined allocation base, and with the lack of a proper code relocation procedure, Ryuk is taking the risk that the requested address is not available for allocation, thus causing a potential failure in the execution of the injected code.

In addition to local drives, Ryuk will also try to encrypt network resources. First, it will start their enumeration by calling WNetOpenEnum, and then allocate a zero-initialized buffer. This buffer will be filled throughout a call to the WNetEnumResource function. If the enumerated resource is a container for other resources, the ransomware will call its network resources enumeration function recursively. For each network resource found by Ryuk, the resource’s name will be appended and separated with a semicolon to a list that will later be used to encrypt these network resources.

Finally, Ryuk will destroy its encryption key and execute a .BAT file that will delete shadow copies and various backup files from the disk.
IOCs
Ryuk Ransomware hashes (MD5):
c0202cf6aeab8437c638533d14563d35

d348f536e214a47655af387408b4fca5

958c594909933d4c82e93c22850194aa

86c314bc2dc37ba84f7364acd5108c2b

29340643ca2e6677c19e1d3bf351d654

cb0c1248d3899358a375888bb4e8f3fe

1354ac0d5be0c8d03f4e3aba78d2223e
Source : Ryuk Ransomware: A Targeted Campaign Break-Down - Check Point Research
User
upnorth
Views
70
Posted on
Last update