Videos
Check out our video library AppCheck defending against newest ransomware, automatic recovery and real-time backup.
- Distribution Method : Unknown
- MD5 : b0817e2a931d4cb950403b87d1f9cd8c
- Major Detection Name : Ransom:Win32/Ryuk.C!MTB (Microsoft), Ransom.Win32.RYUK.HUZ (Trend Micro)
- Encrypted File Pattern : .RYK
- Malicious File Creation Location :
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.html
- C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html
- Payment Instruction File : RyukReadMe.html
- Major Characteristics :
- Offline Encryption
- Hermes Ransomware series
- Block processes execution (excel, firefoxconfig, oracle, steam, thebat, word etc.)
- Stop multi services (audioendpointbuilder, backup, ekrn, msaccess, samss, veeam etc.)
- Disable system restore (vssadmin Delete Shadows /all /quiet, vssadmin resize shadowstorage /for=<Drive Letter>: /on=<Drive Letter>: /maxsize=401MB, vssadmin resize shadowstorage /for=<Drive Letter>: /on=<Drive Letter>: /maxsize=unbounded)
- Delete backup files (<Drive Letter>:\*.bac, <Drive Letter>:\*.bak, <Drive Letter>:\*.bkf, <Drive Letter>:\*.dsk, <Drive Letter>:\*.set, <Drive Letter>:\*.VHD, <Drive Letter>:\*.wbcat, <Drive Letter>:\*.win, <Drive Letter>:\Backup*.*, <Drive Letter>:\backup*.*)