https://abs.twimg.com/emoji/v2/... draggable="false" alt="👇🏻" title="Rückhand Zeigefinger nach unten (heller Hautton)" aria-label="Emoji: Rückhand Zeigefinger nach unten (heller Hautton)">https://abs.twimg.com/emoji/v2/... draggable="false" alt="🚨" title="Polizeiautos mit drehendem Licht" aria-label="Emoji: Polizeiautos mit drehendem Licht">https://abs.twimg.com/emoji/v2/... draggable="false" alt="👇🏻" title="Rückhand Zeigefinger nach unten (heller Hautton)" aria-label="Emoji: Rückhand Zeigefinger nach unten (heller Hautton)"> https://twitter.com/briankrebs/status/1321550140474331136">https://twitter.com/briankreb...
Listen to me - this is CRITICAL

https://abs.twimg.com/emoji/v2/... draggable="false" alt="👇🏻" title="Rückhand Zeigefinger nach unten (heller Hautton)" aria-label="Emoji: Rückhand Zeigefinger nach unten (heller Hautton)">Ryuk Ransomwarehttps://abs.twimg.com/emoji/v2/... draggable="false" alt="👇🏻" title="Rückhand Zeigefinger nach unten (heller Hautton)" aria-label="Emoji: Rückhand Zeigefinger nach unten (heller Hautton)">

“..deployed as a payload from banking Trojans such as Trickbot. Ryuk first appeared in Aug 2018 as a derivative of Hermes 2.1 ransomware... Ryuk still retains some aspects of the Hermes code“

https://us-cert.cisa.gov/ncas/alerts/aa20-302a">https://us-cert.cisa.gov/ncas/aler...
“all of the files encrypted by Ryuk contain the HERMES tag but, in some infections, files have .ryuk added to the filename.. In other parts of the ransomware code, Ryuk has removed or replaced features of Hermes, suchrestriction against targeting specific Eurasia-based systems”
“all of the files encrypted by Ryuk contain the HERMES tag but, in some infections, files have .ryuk added to the filename.. In other parts of the ransomware code, Ryuk has removed or replaced features of Hermes, suchrestriction against targeting specific Eurasia-based systems”
“all of the files encrypted by Ryuk contain the HERMES tag but, in some infections, files have .ryuk added to the filename.. In other parts of the ransomware code, Ryuk has removed or replaced features of Hermes, suchrestriction against targeting specific Eurasia-based systems”
“all of the files encrypted by Ryuk contain the HERMES tag but, in some infections, files have .ryuk added to the filename.. In other parts of the ransomware code, Ryuk has removed or replaced features of Hermes, suchrestriction against targeting specific Eurasia-based systems”
“all of the files encrypted by Ryuk contain the HERMES tag but, in some infections, files have .ryuk added to the filename.. In other parts of the ransomware code, Ryuk has removed or replaced features of Hermes, suchrestriction against targeting specific Eurasia-based systems”
Today’s joint alert is probably one of the most critical and slightly terrifying I’ve read- if you recall in 2019 I created this thread & walked you through how gnarly Ryuk is
so consider this 2019 thread a placemarker https://twitter.com/File411/status/1198674431700283393?s=20">https://twitter.com/File411/s...
In March 2020 I then created this massively long & sourced thread. At the time I thought that Ryuk had gone fallow but seeing today’s alert is like a zero day the fucking cyber sky is falling -
https://abs.twimg.com/emoji/v2/... draggable="false" alt="👇🏻" title="Rückhand Zeigefinger nach unten (heller Hautton)" aria-label="Emoji: Rückhand Zeigefinger nach unten (heller Hautton)"> this is BAD VERY VERY BADhttps://abs.twimg.com/emoji/v2/... draggable="false" alt="👇🏻" title="Rückhand Zeigefinger nach unten (heller Hautton)" aria-label="Emoji: Rückhand Zeigefinger nach unten (heller Hautton)">
https://us-cert.cisa.gov/ncas/alerts/aa20-302a">https://us-cert.cisa.gov/ncas/aler... https://twitter.com/File411/status/1236769571769593857?s=20">https://twitter.com/File411/s...
“Ryuk actors will commonly use commercial off-the-shelf products, such as Cobalt Strike and PowerShell Empire, in order to steal credentials.. quickly map the network in order to enumerate the environment to understand the scope of the infection“
VERY BAD
https://us-cert.cisa.gov/ncas/alerts/aa20-302a">https://us-cert.cisa.gov/ncas/aler...
“Ryuk actors will commonly use commercial off-the-shelf products, such as Cobalt Strike and PowerShell Empire, in order to steal credentials.. quickly map the network in order to enumerate the environment to understand the scope of the infection“VERY BAD https://us-cert.cisa.gov/ncas/aler...
“Ryuk actors will commonly use commercial off-the-shelf products, such as Cobalt Strike and PowerShell Empire, in order to steal credentials.. quickly map the network in order to enumerate the environment to understand the scope of the infection“VERY BAD https://us-cert.cisa.gov/ncas/aler...
“Ryuk actors will commonly use commercial off-the-shelf products, such as Cobalt Strike and PowerShell Empire, in order to steal credentials.. quickly map the network in order to enumerate the environment to understand the scope of the infection“VERY BAD https://us-cert.cisa.gov/ncas/aler...
“Ryuk actors will commonly use commercial off-the-shelf products, such as Cobalt Strike and PowerShell Empire, in order to steal credentials.. quickly map the network in order to enumerate the environment to understand the scope of the infection“VERY BAD https://us-cert.cisa.gov/ncas/aler...
The main reasons I think Ryuk is very bad is the ability of actors to accurately map out a target’s network. Once they are in- you have no idea how far they are in and/or their ability to hide
Yes I know that’s over simplification of this complex malware
https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf">https://us-cert.cisa.gov/sites/def...
The main reasons I think Ryuk is very bad is the ability of actors to accurately map out a target’s network. Once they are in- you have no idea how far they are in and/or their ability to hideYes I know that’s over simplification of this complex malware https://us-cert.cisa.gov/sites/def...
The main reasons I think Ryuk is very bad is the ability of actors to accurately map out a target’s network. Once they are in- you have no idea how far they are in and/or their ability to hideYes I know that’s over simplification of this complex malware https://us-cert.cisa.gov/sites/def...
The main reasons I think Ryuk is very bad is the ability of actors to accurately map out a target’s network. Once they are in- you have no idea how far they are in and/or their ability to hideYes I know that’s over simplification of this complex malware https://us-cert.cisa.gov/sites/def...
The main reasons I think Ryuk is very bad is the ability of actors to accurately map out a target’s network. Once they are in- you have no idea how far they are in and/or their ability to hideYes I know that’s over simplification of this complex malware https://us-cert.cisa.gov/sites/def...
Oct 18 2020 DFIR published this report
it’s easily one of the most detailed I’ve read
the speed is nothing short of breathtaking, NOT in a good way
2017/2018 Ryuk was originally thought to be N Korea but the cyber-sec community —> RUSSIA
Ryuk in 5 Hours https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/">https://thedfirreport.com/2020/10/1...
Ryuk in 5 Hours

Intro The Ryuk threat actors went from a phishing email to domain wide ransomware in 5 hours. They escalated privileges using Zerologon (CVE-2020-1472), less than 2 hours after the initial phish. T…

https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
JFC - RYUK

“...known among some experts as UNC1878 or Wizard Spider - has already hit at least nine US hospitals in three weeks, crippling critical computer systems and demanding multimillion-dollar ransoms...”
cc @SlickRockWeb @ushadrons @MrFelt_ https://www.independent.ie/world-news/north-america/russian-hackers-hit-us-hospitals-in-extortion-scam-39688667.html">https://www.independent.ie/world-new...
Russian hackers hit US hospitals in extortion scam

A Russia-based ransomware group responsible for a new wave of attacks against US hospitals is laying the groundwork to cripple at least 10 more, cybersecurity firm Prevailion has warned.

https://www.independent.ie/world-news/north-america/russian-hackers-hit-us-hospitals-in-extortion-scam-39688667.html
“New Jersey, Georgia, Florida, Massachusetts, Texas and Arkansas, according to data provided by @prevailion.
"It’s abundantly clear that the group is really zeroing in on US hospitals,” Karim Hijazi, Prevailion’s chief executive.

https://www.seattletimes.com/nation-world/nation/hackers-bearing-down-on-u-s-hospitals-have-more-attacks-planned/">https://www.seattletimes.com/nation-wo... https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456">https://gist.github.com/aaronst/6...
UNC1878 Indicators

UNC1878 Indicators. GitHub Gist: instantly share code, notes, and snippets.

https://www.seattletimes.com/nation-world/nation/hackers-bearing-down-on-u-s-hospitals-have-more-attacks-planned/
You can follow @File411.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more