RYUK, a highly targeted ransomware campaign has been rearing its head over the past weeks. The campaign has targeted multiple enterprises and encrypted hundreds of PC’s. The RYUK campaign shows considerable similarities to the HERMES ransomware, and is supposedly linked to the notorious Lazarus Group.
While investigating the campaign, Check Point researchers found that: „Unlike the common ransomware, systematically distributed via massive spam campaigns and exploit kits, RYUK is used exclusively for tailored attacks.” In other words, the malware only targets selected organizations and uses spear-phishing email’s or capitalizes on ill-protected RDC’s connected to the Internet.
Another significant difference from other ransomware is that RYUK skips on renaming or altering the encrypted files but creates a RyukReadMe.txt file which copies itself to each and every folder on the device.
The LogPoint RYUK malware application provides you with a comprehensive package to detect any malware infection in just a few simple steps. The list of updated IoC’s required to run the application are as follows.
Ryuk Ransomware hashes (MD5):
Malware Dropper hashes (MD5):
Log Source Requirements
Windows Server/Integrity Scanner
- Detects malicious file installation and malware infected hosts