Keypoints
- Ryuk encrypts file contents with AES-256 and encrypts the AES key with an RSA public key (2048- or 4096-bit); private key released only after ransom payment.
- The latest sample specifically targets web servers; the malware prints 50 copies of the ransom note and instructs victims to install Tor to contact operators.
- Common initial access vectors include spear-phishing (T1566.001), exploitation of public-facing applications (T1190), use of valid accounts (T1078), and follow-on from commodity loaders like Emotet and TrickBot.
- Post-exploitation leverages open-source pentest and dual-use tools (winPEAS, Lazagne, Bloodhound, SharpHound) and commercial/hacking frameworks (Cobalt Strike, Metasploit, Empire, Covenant) for discovery and lateral movement.
- Defenders should monitor for abnormal usage of WMIC (T1047) and legitimate admin tools (ADfind, PSExec, PowerShell) being used for malicious purposes.
- Mitigations include patching public-facing systems, enforcing MFA and robust credential management, hardening RDP, and updating endpoint protection with tamper protection and rollback features (see ENS 10.7 guidance).
MITRE Techniques
- [T1566.001] Spearphishing – used as a tailored initial access vector: ‘E-mail Spear phishing (T1566.001) often used to directly engage and/or gain an initial foothold.’
- [T1190] Exploit Public-Facing Application – actors exploit internet-facing software to gain entry: ‘Exploit Public-Facing Application (T1190) is another common entry vector…’
- [T1078] Valid Accounts – attackers use compromised/valid credentials to move laterally or access remote systems: ‘Using valid accounts (T1078) is and has been a proven method for cybercriminals to gain a foothold.’
- [T1047] Windows Management Instrumentation – abnormal use of WMIC observed during post-exploitation: ‘…be on the lookout for abnormal usage of Windows Management Instrumentation WMIC (T1047).’
Indicators of Compromise
- [Detection/Signature] McAfee detection name – Ransom-Ryuk![partial-hash] (article notes this detection label for Ryuk samples).
- [Report/Artifact] Technical analysis PDF – rp-ryuk-ransomware-targeting-webservers.pdf (McAfee technical analysis referenced for IOCs and Yara rules).
- [YARA/Rules] Yara rule referenced – article states a Yara rule is available in the detailed technical analysis (no specific rule text or hashes published in the article itself).
Ryuk uses a hybrid encryption procedure: it generates an AES-256 symmetric key to encrypt file contents, then encrypts that symmetric key with an RSA public key (2048- or 4096-bit). Decryption requires the corresponding RSA private key, which the operators promise to deliver only after ransom payment; the sample also prints 50 copies of the ransom note to the default printer and instructs victims to use the Tor browser to contact the actors.
Initial compromise is highly targeted and tailored to victims: observed entry vectors include spear-phishing (T1566.001), exploitation of public-facing applications (T1190), and use of valid/stolen credentials (T1078). Ryuk campaigns frequently follow infections by commodity loaders like Emotet and TrickBot, which act as initial footholds and credential harvesters; defenders should assume multi-stage intrusion chains where a loader delivers access for follow-on ransomware deployment.
During post-exploitation Ryuk operators employ reconnaissance and lateral movement tools—open-source pentest utilities (winPEAS, Lazagne, Bloodhound, SharpHound) and offensive frameworks (Cobalt Strike, Metasploit, Empire, Covenant)—and abuse dual-use admin tooling (ADfind, PSExec, PowerShell). Monitor for abnormal WMIC activity (T1047) and misuse of legitimate admin utilities. Mitigations: apply timely patches on public-facing services, enforce MFA and strong credential hygiene, harden RDP, and keep endpoint protection updated with tamper protection and rollback enabled (see ENS 10.7 configuration guidance); consult the McAfee technical analysis for full IOCs and Yara rules.