👇🏻🚨👇🏻 https://twitter.com/briankrebs/status/1321550140474331136
Listen to me - this is CRITICAL

👇🏻Ryuk Ransomware👇🏻

“..deployed as a payload from banking Trojans such as Trickbot. Ryuk first appeared in Aug 2018 as a derivative of Hermes 2.1 ransomware... Ryuk still retains some aspects of the Hermes code“

“all of the files encrypted by Ryuk contain the HERMES tag but, in some infections, files have .ryuk added to the filename.. In other parts of the ransomware code, Ryuk has removed or replaced features of Hermes, suchrestriction against targeting specific Eurasia-based systems”
Today’s joint alert is probably one of the most critical and slightly terrifying I’ve read- if you recall in 2019 I created this thread & walked you through how gnarly Ryuk is
so consider this 2019 thread a placemarker https://twitter.com/File411/status/1198674431700283393?s=20
In March 2020 I then created this massively long & sourced thread. At the time I thought that Ryuk had gone fallow but seeing today’s alert is like a zero day the fucking cyber sky is falling -
👇🏻 this is BAD VERY VERY BAD👇🏻
https://us-cert.cisa.gov/ncas/alerts/aa20-302a https://twitter.com/File411/status/1236769571769593857?s=20
“Ryuk actors will commonly use commercial off-the-shelf products, such as Cobalt Strike and PowerShell Empire, in order to steal credentials.. quickly map the network in order to enumerate the environment to understand the scope of the infection“
The main reasons I think Ryuk is very bad is the ability of actors to accurately map out a target’s network. Once they are in- you have no idea how far they are in and/or their ability to hide
Yes I know that’s over simplification of this complex malware
Oct 18 2020 DFIR published this report
it’s easily one of the most detailed I’ve read
the speed is nothing short of breathtaking, NOT in a good way
2017/2018 Ryuk was originally thought to be N Korea but the cyber-sec community —> RUSSIA
Ryuk in 5 Hours https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
You can follow @File411.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: