Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Unknown
- MD5 : 0d194b223e038d4c652484549f613763
- Major Detection Name : Generic.Ransom.Ryuk3.84BB3536 (BitDefender), Ransom.Ryuk (Malwarebytes)
- Encrypted File Pattern : .RYK
- Malicious File Creation Location :
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.html
- C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html
- C:\Users\Public\sys
- Payment Instruction File : RyukReadMe.html
- Major Characteristics :
- Offline Encryption
- Hermes Ransomware series
- Block processes execution (backup, excel, firefoxconfig, msaccess, outlook, steam etc.)
- Stop multi services (acronis, antivirus, audioendpointbuilder, ekrn, mcshield, samss, sophos, unistoresvc_38877, veeam etc.)
- Disable system restore (vssadmin Delete Shadows /all /quiet, vssadmin resize shadowstorage /for=<Drive Letter>: /on=<Drive Letter>: /maxsize=401MB, vssadmin resize shadowstorage /for=<Drive Letter>: /on=<Drive Letter>: /maxsize=unbounded)
- Delete backup files (<Drive Letter>:\*.bac, <Drive Letter>:\*.bak, <Drive Letter>:\*.bkf, <Drive Letter>:\*.dsk, <Drive Letter>:\*.set, <Drive Letter>:\*.VHD, <Drive Letter>:\*.wbcat, <Drive Letter>:\*.win, <Drive Letter>:\Backup*.*, <Drive Letter>:\backup*.*)