RYUK, a highly targeted ransomware campaign has been rearing its head over the past weeks. The campaign has targeted multiple enterprises and encrypted hundreds of PC’s. The RYUK campaign shows considerable similarities to the HERMES ransomware, and is supposedly linked to the notorious Lazarus Group.  

While investigating the campaign, Check Point researchers found that: “Unlike the common ransomware, systematically distributed via massive spam campaigns and exploit kits, RYUK is used exclusively for tailored attacks.” In other words, the malware only targets selected organizations and uses spear-phishing email’s or capitalizes on ill-protected RDC’s connected to the Internet.

Another significant difference from other ransomware is that RYUK skips on renaming or altering the encrypted files but creates a RyukReadMe.txt file which copies itself to each and every folder on the device.

The LogPoint RYUK malware application provides you with a comprehensive package to detect any malware infection in just a few simple steps. The list of updated IoC’s required to run the application are as follows.

Ryuk Ransomware hashes (MD5):

  • c0202cf6aeab8437c638533d14563d35
  • d348f536e214a47655af387408b4fca5
  • 958c594909933d4c82e93c22850194aa
  • 86c314bc2dc37ba84f7364acd5108c2b
  • 29340643ca2e6677c19e1d3bf351d654
  • cb0c1248d3899358a375888bb4e8f3fe
  • 1354ac0d5be0c8d03f4e3aba78d2223e

Malware Dropper hashes (MD5):

  • 5ac0f050f93f86e69026faea1fbb4450

Log Source Requirements

Windows Server/Integrity Scanner

  • Detects malicious file installation and malware infected hosts