Ryuk shine ɗayan shahararrun zaɓuɓɓukan ransomware a cikin ƴan shekarun da suka gabata. Tun lokacin da ya fara bayyana a lokacin rani na 2018, ya tattara , musamman a fannin kasuwanci, wanda shi ne babban abin da ake kaiwa hari.
1. Gabaɗaya Bayani
Wannan daftarin aiki ya ƙunshi nazarin bambance-bambancen ransomware na Ryuk, da kuma mai ɗaukar kaya da ke da alhakin loda malware a cikin tsarin.
Ryuk ransomware ya fara bayyana a lokacin rani na 2018. Ɗaya daga cikin bambance-bambance tsakanin Ryuk da sauran kayan aikin fansa shine cewa ana nufin kai hari ga mahallin kamfanoni.
A tsakiyar 2019, ƙungiyoyin masu aikata laifuka ta yanar gizo sun kai hari kan ɗimbin kamfanoni na Spain ta amfani da wannan kayan fansho.
Shinkafa 1: Sake daga El Confidencial game da harin Ryuk na ransomware [1]
Shinkafa 2: Sake daga El País game da harin da aka kai ta hanyar amfani da Ryuk ransomware [2]
A wannan shekara, Ryuk ya kai hari ga kamfanoni masu yawa a kasashe daban-daban. Kamar yadda kuke gani a alkalumman da ke kasa, Jamus, China, Aljeriya da Indiya ne suka fi fama da matsalar.
Ta hanyar kwatanta yawan hare-haren yanar gizo, za mu iya ganin cewa Ryuk ya shafi miliyoyin masu amfani kuma ya yi watsi da adadi mai yawa, wanda ya haifar da asarar tattalin arziki mai tsanani.
Shinkafa 3: Misalin ayyukan Ryuk na duniya.
Shinkafa 4: Kasashe 16 da Ryuk ya fi shafa
Shinkafa 5: Adadin masu amfani da Ryuk ransomware ya kai hari (a cikin miliyoyin)
Dangane da ka'idar aiki na yau da kullun na irin wannan barazanar, wannan ransomware, bayan an gama ɓoye ɓoye, yana nuna wa wanda aka azabtar da sanarwar fansa wanda dole ne a biya a cikin bitcoins zuwa takamaiman adireshin don dawo da damar yin amfani da rufaffiyar fayiloli.
Wannan malware ya canza tun lokacin da aka fara gabatar da shi.
An gano bambance-bambancen wannan barazanar da aka bincika a cikin wannan takarda yayin ƙoƙarin kai hari a watan Janairu 2020.
Saboda sarkar sa, galibi ana danganta wannan malware zuwa ga ƙungiyoyin masu aikata laifuka na intanet, waɗanda kuma aka sani da ƙungiyoyin APT.
Wani sashe na lambar Ryuk yana da kamanceceniya ga lamba da tsarin wani sanannen ransomware, Hamisa, wanda suke raba ayyuka iri ɗaya da shi. Wannan shine dalilin da ya sa aka fara danganta Ryuk da kungiyar Lazarus ta Koriya ta Arewa, wanda a lokacin ake zargin cewa yana da hannu a cikin kayan fansa na Hamisa.
Sabis na Falcon X na CrowdStrike daga baya ya lura cewa Ryuk hakika ƙungiyar WIZARD SPIDER ce ta ƙirƙira ta [4].
Akwai wasu shaidun da ke goyan bayan wannan zato. Da farko, an tallata wannan kayan fansa akan gidan yanar gizon exploit.in, wanda sanannen kasuwan malware ne na Rasha kuma an riga an haɗa shi da wasu rukunin APT na Rasha.
Wannan gaskiyar ta kawar da ka'idar cewa Ryuk zai iya haɓaka ta ƙungiyar Li'azaru APT, saboda bai dace da yadda kungiyar ke aiki ba.
Bugu da ƙari, an tallata Ryuk azaman kayan fansa wanda ba zai yi aiki akan tsarin Rasha, Ukrainian da Belarushiyanci ba. An ƙayyade wannan hali ta hanyar fasalin da aka samu a wasu nau'ikan Ryuk, inda yake bincika harshen tsarin da kayan aikin fansa ke aiki da shi kuma ya hana shi aiki idan tsarin yana da yaren Rashanci, Ukrainian ko Belarushiyanci. A ƙarshe, wani bincike na ƙwararrun na'urar da ƙungiyar WIZARD SPIDER ta yi wa kutse ta bayyana wasu "kayan tarihi" waɗanda aka yi zargin an yi amfani da su wajen haɓaka Ryuk a matsayin bambance-bambancen na Hamisu ransomware.
A gefe guda kuma, masana Gabriela Nicolao da Luciano Martins sun ba da shawarar cewa mai yiwuwa ƙungiyar APT ta ƙirƙira ta CryptoTech [5].
Wannan ya biyo bayan gaskiyar cewa watanni da yawa kafin bayyanar Ryuk, wannan rukunin ya buga bayanai akan dandalin wannan rukunin yanar gizon cewa sun haɓaka sabon sigar Hamisa ransomware.
Yawancin masu amfani da dandalin sun yi tambaya ko CryptoTech a zahiri ya ƙirƙiri Ryuk. Daga nan sai kungiyar ta kare kanta tare da bayyana cewa tana da shaidar cewa sun kirkiro 100% na kayan fansho.
2. Halaye
Mun fara da bootloader, wanda aikinsa shine gano tsarin da yake kan don a iya ƙaddamar da sigar "daidai" na Ryuk ransomware.
Bootloader hash shine kamar haka:
MD5 A73130B0E379A989CBA3D695A157A495
SHA256 EF231EE1A2481B7E627921468E79BB4369CCFAEB19A575748DD2B664ABC4F469
Daya daga cikin abubuwan da wannan mai saukarwa ke da shi shi ne, ba shi da wani metadata, watau. Wadanda suka kirkiri wannan malware ba su sanya wani bayani a ciki ba.
Wani lokaci suna haɗa bayanan kuskure don yaudarar mai amfani da tunanin cewa suna gudanar da ingantaccen aikace-aikacen. Koyaya, kamar yadda zamu gani daga baya, idan kamuwa da cuta bai ƙunshi hulɗar mai amfani ba (kamar yadda lamarin yake tare da wannan ransomware), to masu kai hari ba sa la'akari da wajibi ne a yi amfani da metadata.
Shinkafa 6: Samfurin Meta Data
An haɗa samfurin a cikin tsarin 32-bit domin ya iya aiki akan tsarin 32-bit da 64-bit.
3. Kutsawa vector
Samfurin da ke zazzagewa da gudanar da Ryuk ya shiga tsarin mu ta hanyar haɗin kai mai nisa, kuma an sami sigogin shiga ta hanyar harin RDP na farko.
Shinkafa 7: Rijistar harin
Maharin ya yi nasarar shiga cikin tsarin daga nesa. Bayan haka, ya ƙirƙiri fayil ɗin aiwatarwa tare da samfurin mu.
Maganin riga-kafi ya toshe wannan fayil ɗin da za a iya aiwatarwa kafin ya gudana.
Shinkafa 8: Kulle tsari
Shinkafa 9: Kulle tsari
Lokacin da aka toshe mugun fayil ɗin, maharin ya yi ƙoƙarin zazzage ɓoyayyen sigar fayil ɗin da za a iya aiwatarwa, wanda shi ma an toshe shi.
Shinkafa 10: Saitin samfuran da maharin yayi ƙoƙarin gudu
A ƙarshe, ya yi ƙoƙarin zazzage wani babban fayil ɗin ɓoyayyen ta cikin rufaffen na'ura mai kwakwalwa
PowerShell don ƙetare kariyar riga-kafi. Amma kuma an tare shi.
Shinkafa 11: PowerShell tare da katange abun ciki na qeta
Shinkafa 12: PowerShell tare da katange abun ciki na qeta
4. Mai lodi
Lokacin da ya aiwatar, yana rubuta fayil ɗin ReadMe zuwa babban fayil ɗin % temp%, wanda ya saba wa Ryuk. Wannan fayil ɗin bayanin fansa ne mai ɗauke da adireshin imel a cikin yankin protonmail, wanda ya zama ruwan dare a cikin wannan dangin malware: [email kariya]
Shinkafa 13: Bukatar Fansa
Yayin da bootloader ke gudana, kuna iya ganin cewa yana ƙaddamar da fayiloli da yawa masu aiwatarwa tare da sunaye bazuwar. Ana adana su a cikin babban fayil ɗin ɓoye LITTAFIN, amma idan zaɓin baya aiki a tsarin aiki "Nuna boye fayiloli da manyan fayiloli", to, za su kasance a ɓoye. Haka kuma, waɗannan fayilolin 64-bit ne, sabanin fayil ɗin iyaye, wanda shine 32-bit.
Shinkafa 14: Fayilolin da aka ƙaddamar da samfurin
Kamar yadda kuke gani a cikin hoton da ke sama, Ryuk yana ƙaddamar da iacls.exe, wanda za a yi amfani da shi don gyara duk ACLs (jerin sarrafawar shiga), don haka tabbatar da samun dama da gyara tutoci.
Yana samun cikakkiyar dama a ƙarƙashin duk masu amfani zuwa duk fayiloli akan na'urar (/T) ba tare da la'akari da kurakurai (/C) ba kuma ba tare da nuna kowane saƙo ba (/Q).
Shinkafa 15: Siffofin aiwatarwa na iacls.exe wanda samfurin ya ƙaddamar
Yana da mahimmanci a lura cewa Ryuk yana bincika nau'in Windows ɗin da kuke gudana. Don wannan ya
yayi duban sigar ta amfani da GetVersionExW, wanda a ciki yake duba darajar tuta Bayanin lpVersionyana nuna ko nau'in Windows na yanzu ya fi sabo Windows XP.
Dangane da ko kuna gudanar da sigar baya fiye da Windows XP, mai ɗaukar boot ɗin zai rubuta zuwa babban fayil ɗin mai amfani na gida - a wannan yanayin zuwa babban fayil ɗin. % Jama'a%.
Shinkafa 17: Dubawa sigar tsarin aiki
Fayil ɗin da ake rubuta shine Ryuk. Sai ta gudanar da shi, ta wuce adireshinsa a matsayin ma'auni.
Shinkafa 18: Yi Ryuk ta hanyar ShellExecute
Abu na farko da Ryuk yayi shine karɓar sigogin shigarwa. A wannan karon akwai sigogi biyu na shigarwa (mai aiwatarwa da kansa da adireshin digo) waɗanda ake amfani da su don cire alamun nasa.
Shinkafa 19: Samar da Tsari
Haka nan za ka ga da zarar ta gama aiwatar da ayyukanta, sai ta goge kanta, don haka ba ta da wata alamar kasancewarta a cikin jakar da aka aiwatar da ita.
Shinkafa 20: Share fayil
5. RURIYA
5.1 Kasancewa
Ryuk, kamar sauran malware, yana ƙoƙarin ci gaba da kasancewa a kan tsarin muddin zai yiwu. Kamar yadda aka nuna a sama, hanya ɗaya don cimma wannan burin ita ce ƙirƙira da gudanar da fayilolin da za a iya aiwatarwa a asirce. Don yin wannan, aikin da aka fi sani shine canza maɓallin rajista YanzunnanRun.
A wannan yanayin, zaku iya ganin cewa don wannan dalili fayil ɗin farko da za a ƙaddamar VWjRF.exe
(sunan fayil an ƙirƙira shi ba da gangan ba) ƙaddamarwa cmd.exe.
Shinkafa 21: Ana aiwatar da VWjRF.exe
Sannan shigar da umarnin RUN Da suna"svchos". Don haka, idan kuna son duba maɓallan rajista a kowane lokaci, zaku iya rasa wannan canji cikin sauƙi, idan aka ba da kamanceceniyar wannan sunan tare da svchost. Godiya ga wannan maɓalli, Ryuk yana tabbatar da kasancewarsa a cikin tsarin. Idan tsarin bai samu ba. duk da haka an kamu da cutar , sannan lokacin da kuka sake kunna tsarin, mai aiwatarwa zai sake gwadawa.
Shinkafa 22: Samfurin yana tabbatar da kasancewa a cikin maɓallin rajista
Hakanan zamu iya ganin cewa wannan aiwatarwa yana dakatar da ayyuka guda biyu:
"audioendpoint magini", wanda, kamar yadda sunansa ya nuna, yayi daidai da tsarin sauti,
Shinkafa 23: Samfurin yana dakatar da sabis na sauti na tsarin
и Samss, wanda sabis ne na sarrafa asusun. Tsaida waɗannan ayyuka guda biyu sifa ce ta Ryuk. A wannan yanayin, idan an haɗa tsarin zuwa tsarin SIEM, ransomware yayi ƙoƙarin dakatar da aikawa zuwa wani gargadi. Ta wannan hanyar, yana kare matakansa na gaba tunda wasu sabis na SAM ba za su iya fara aikin su daidai ba bayan aiwatar da Ryuk.
Shinkafa 24: Samfurin yana dakatar da sabis na Samss
5.2 Gata
Gabaɗaya magana, Ryuk yana farawa ta hanyar motsawa ta gefe a cikin hanyar sadarwar ko kuma wani malware ya ƙaddamar dashi ko , wanda, a cikin yanayin haɓaka gata, canja wurin waɗannan haƙƙoƙin haƙƙoƙi zuwa kayan fansa.
Tun da farko, a matsayin share fage ga tsarin aiwatarwa, muna ganin ya aiwatar da tsarin Koyi Kai, wanda ke nufin cewa abubuwan tsaro na alamar shiga za a wuce zuwa rafi, inda za a dawo da su nan da nan ta hanyar amfani da su. GetCurrentThread.
Shinkafa 25: Kira Impersonate Kai
Sai mu ga cewa za ta haɗa alamar shiga da zare. Mun kuma ga cewa daya daga cikin tutoci ne Samun damar shiga, wanda za'a iya amfani dashi don sarrafa damar da zaren zai samu. A wannan yanayin ƙimar da edx zai karɓa ya kamata TOKEN_ALL_ACESS ko kuma in ba haka ba - TOKEN_RUBUTA.
Shinkafa 26: Ƙirƙirar Alamar Tafiya
Sannan zai yi amfani SeDebugPrivilege kuma zai yi kira don samun izinin gyara kuskure akan zaren, wanda zai haifar da PROCESS_ALL_ACCESS, zai iya samun dama ga kowane tsari da ake bukata. Yanzu, da aka ba cewa encryptor ya riga yana da shirye-shiryen rafi, abin da ya rage shine a ci gaba zuwa mataki na ƙarshe.
Shinkafa 27: Kira SeDebugPrivilege da Ayyukan Haɓaka Gata
A gefe ɗaya, muna da LookupPrivilegeValueW, wanda ke ba mu mahimman bayanai game da gatan da muke son haɓakawa.
Shinkafa 28: Nemi bayani game da gata don haɓaka gata
A daya bangaren kuma, muna da DaidaitaTokenPrivileges, wanda ke ba mu damar samun haƙƙoƙin da suka dace don rafi. A wannan yanayin, abu mafi mahimmanci shine Newstate, wanda tutarsa za ta ba da gata.
Shinkafa 29: Kafa izini don alama
5.3 Aiwatarwa
A cikin wannan sashe, za mu nuna yadda samfurin ke aiwatar da tsarin aiwatarwa da aka ambata a baya a cikin wannan rahoto.
Babban burin aiwatar da aiwatarwa, da haɓakawa, shine samun damar yin amfani da shi kwafin inuwa. Don yin wannan, yana buƙatar yin aiki tare da zaren da haƙƙoƙin da ya fi na mai amfani na gida. Da zarar ta sami irin waɗannan haƙƙoƙin da aka ɗaukaka, za ta share kwafi kuma ta yi canje-canje ga wasu hanyoyin don yin ba zai yiwu a dawo wurin da aka dawo da farko a cikin tsarin aiki ba.
Kamar yadda aka saba da irin wannan nau'in malware, yana amfani da shi CreateToolHelp32Snapshotdon haka yana ɗaukar hoto na hanyoyin da ke gudana a halin yanzu kuma yana ƙoƙarin samun damar waɗancan hanyoyin ta amfani da su Buɗe Tsari. Da zarar ya sami damar yin amfani da tsarin, yana buɗe alamar tare da bayanansa don samun sigogin tsari.
Shinkafa 30: Maido matakai daga kwamfuta
Zamu iya ganin yadda yake samun jerin ayyukan tafiyarwa a cikin 140002D9C na yau da kullun ta amfani da CreateToolhelp32Snapshot. Bayan ya karbe su, sai ya shiga jerin sunayen, yana kokarin bude hanyoyin daya bayan daya ta amfani da OpenProcess har sai ya yi nasara. A wannan yanayin, tsarin farko da ya iya buɗewa shine "taskhost.exe".
Shinkafa 31: Ci gaba da aiwatar da tsari don samun tsari
Zamu iya ganin cewa daga baya yana karanta bayanan alamar aiki, don haka yana kira OpenProcessToken da parameter"20008"
Shinkafa 32: Karanta bayanin alamar aiki
Yana kuma bincikar cewa tsarin da za a yi masa allura ba shi ne csarkarin.exe, Explorer.exe, lsaas.exe ko kuma yana da hakki Hukumar NT.
Shinkafa 33: Banda matakai
Zamu iya ganin yadda take fara yin rajistan ta amfani da bayanan alamar aiki a ciki Saukewa: 140002D9C domin a gano ko asusun da ake amfani da haƙƙinsa don aiwatar da wani tsari asusu ne IKON NT.
Shinkafa 34: NT IKON duba
Kuma daga baya, a waje da hanya, ya duba cewa wannan ba csrss.exe, Explorer.exe ko lsas.exe.
Shinkafa 35: NT IKON duba
Da zarar ya dauki hoton tsarin, ya bude hanyoyin, kuma ya tabbatar da cewa ba a cire ko daya daga cikinsu ba, a shirye yake ya rubuta don tunawa da hanyoyin da za a yi allurar.
Don yin wannan, ta farko tana tanadin wuri a ƙwaƙwalwar ajiya (VirtualAllocEx), ya rubuta a ciki (Rubutun Ƙwaƙwalwar Ƙwaƙwalwa) kuma yana ƙirƙirar zaren (ƘirƙirarTremoteThread). Don yin aiki tare da waɗannan ayyuka, yana amfani da PIDs na hanyoyin da aka zaɓa, waɗanda a baya aka samu ta amfani da su CreateToolHelp32Snapshot.
Shinkafa 36: Ƙaddamar da lambar
Anan zamu iya lura da yadda take amfani da tsarin PID don kiran aikin VirtualAllocEx.
Shinkafa 37: Kira VirtualAllocEx
5.4 Rufewa
A cikin wannan sashe, za mu kalli ɓangaren ɓoyayyen wannan samfurin. A cikin hoton da ke gaba za ku iya ganin nau'i-nau'i biyu da ake kira "LoadLibrary_EncodeString" da"Encode_Func", waɗanda ke da alhakin aiwatar da hanyar ɓoyewa.
Shinkafa 38: Hanyoyin ɓoyewa
A farkon za mu iya ganin yadda yake loda wani kirtani wanda daga baya za a yi amfani da shi don cire duk abin da ake buƙata: shigo da kaya, DLLs, umarni, fayiloli da CSPs.
Shinkafa 39: Da'irar cirewa
Hoton da ke biyo baya yana nuna farkon shigo da shi da aka cire a cikin rajista R4. Littafin Labarai. Za a yi amfani da wannan daga baya don loda DLL ɗin da ake buƙata. Hakanan zamu iya ganin wani layi a cikin rajista R12, wanda ake amfani da shi tare da layin da ya gabata don yin ɓarna.
Shinkafa 40: Tsare-tsare mai ƙarfi
Yana ci gaba da zazzage umarnin da zai gudana daga baya don musaki madadin, maido da maki, da yanayin taya masu aminci.
Shinkafa 41: Loading umarni
Sannan yana loda wurin da zai sauke fayiloli 3: Windows.bat, run.sct и farawa.bat.
Shinkafa 42: Wuraren Fayil
Ana amfani da waɗannan fayiloli guda 3 don duba gata da kowane wuri yake da shi. Idan babu gatan da ake buƙata, Ryuk ya dakatar da aiwatarwa.
Yana ci gaba da ɗaukar layukan da suka dace da fayilolin uku. Na farko, DECRYPT_INFORMATION.html, ya ƙunshi bayanai masu mahimmanci don dawo da fayiloli. Na biyu, LITTAFIN, ya ƙunshi maɓallin jama'a na RSA.
Shinkafa 43: Layin DECRYPT BAYANIN.html
Na uku, UNIQUE_ID_KADA_CIRE, ya ƙunshi rufaffen maɓalli wanda za a yi amfani da shi a cikin aikin yau da kullun na gaba don aiwatar da ɓoyayyen.
Shinkafa 44: Layi UNIQUE ID KADA KA CIRE
A ƙarshe, yana zazzage dakunan karatu da ake buƙata tare da shigo da da ake buƙata da CSPs (Microsoft Ingantaccen RSA и AES Cryptographic Bayar).
Shinkafa 45: Load da dakunan karatu
Bayan an gama duk abubuwan ɓoyewa, yana ci gaba don aiwatar da ayyukan da ake buƙata don ɓoyewa: ƙididdige duk fayafai masu ma'ana, aiwatar da abin da aka ɗora a cikin al'adar da ta gabata, ƙarfafa kasancewar a cikin tsarin, zubar da fayil ɗin RyukReadMe.html, ɓoyewa, ƙididdige duk abubuwan tafiyar da hanyar sadarwa. , canzawa zuwa na'urorin da aka gano da ɓoyewar su.
Yana farawa da loading"cmd.exe" da RSA bayanan maɓalli na jama'a.
Shinkafa 46: Shiri don ɓoyewa
Sa'an nan yana samun duk masu amfani da ma'ana SamunLogicalDrives kuma yana kashe duk wariyar ajiya, mayar da maki da amintattun hanyoyin taya.
Shinkafa 47: Kashe kayan aikin dawowa
Bayan haka, yana ƙarfafa kasancewarsa a cikin tsarin, kamar yadda muka gani a sama, kuma ya rubuta fayil na farko RyukReadMe.html в TEMP.
Shinkafa 48: Buga sanarwar fansa
A cikin hoton da ke gaba za ku iya ganin yadda yake ƙirƙirar fayil, zazzage abubuwan da ke cikin kuma rubuta shi:
Shinkafa 49: Loading da rubuta abubuwan cikin fayil
Don samun damar yin ayyuka iri ɗaya akan duk na'urori, yana amfani da shi
"iacls.exe", kamar yadda muka nuna a sama.
Shinkafa 50: Amfani da icalcls.exe
Kuma a ƙarshe, yana fara ɓoye fayiloli ban da fayilolin "* .exe", "* .dll", fayilolin tsarin da sauran wuraren da aka ƙayyade a cikin nau'i na fararen jeri. Don yin wannan, yana amfani da shigo da kaya: CryptAcquireContextW (inda aka ƙayyade amfani da AES da RSA), CryptDeriveKey, CryptGenKey, CryptDestroyKey da dai sauransu. Hakanan yana ƙoƙarin ƙaddamar da isar sa zuwa na'urorin cibiyar sadarwar da aka gano ta amfani da WNetEnumResourceW sannan kuma a ɓoye su.
Shinkafa 51: Rufe fayilolin tsarin
6. Shigo da tutoci masu dacewa
A ƙasa akwai tebur da ke jera mafi dacewa shigo da tutoci da samfurin ya yi amfani da shi:
7. IOC
nassoshi
- masu amfaniPublicrun.sct
- Fara MenuProgramsStartupsstart.bat AppDataYawoMicrosoftWindowsStart
- MenuProgramsStartupsstart.bat
Kwararru daga dakin gwaje-gwaje na riga-kafi PandaLabs ne suka tattara rahoton fasaha akan Ryuk ransomware.
8. Hanyoyin haɗi
1. "Everis y Prisa Radio sufren un grave ciberataque que secuestra sus sistemas."https://www. elconfidencial.com/tecnologia/2019-11-04/everis-la-ser-ciberataque-ransomware-15_2312019/, Publicada el 04/11/2019.
2. "Un virus de origen ruso ataca a importantes empresas españolas." https: //elpais.com/tecnologia/2019/11/04/actualidad/1572897654_251312.html, Publicada el 04/11/2019.
3. "VB2019 takarda: Shinigami's fansa: dogon wutsiya na Ryuk malware." https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/, Publicada el 11 /12/2019
4. "Big Game Farauta tare da Ryuk: Wani LucrativebTargeted Ransomware."https://www. crowdstrike.com/blog/big-game-farauta-with-ryuk-wani-lucrative-niyya-ransomware/, Publicada el 10/01/2019.
5. "VB2019 takarda: Shinigami's fansa: dogon wutsiya na Ryuk malware." https://www. virusbulletin.com/virusbulletin/2019/10/ vb2019-paper-shinigamis-revenge-long-tail-r
source: www.habr.com