Ryuk ndi imodzi mwazinthu zodziwika bwino za ransomware m'zaka zingapo zapitazi. Kuyambira pomwe idawonekera koyamba m'chilimwe cha 2018, yasonkhanitsa
1. Zambiri
Chikalatachi chili ndi kusanthula kwa mtundu wa Ryuk ransomware, komanso chojambulira chomwe chili ndi udindo wotsitsa pulogalamu yoyipa mudongosolo.
Ryuk ransomware idawonekera koyamba m'chilimwe cha 2018. Kusiyanitsa kumodzi pakati pa Ryuk ndi ransomware ina ndikuti ikufuna kuwukira malo amakampani.
Chapakati pa 2019, magulu achifwamba apakompyuta adaukira makampani ambiri aku Spain omwe amagwiritsa ntchito chiwombolo ichi.
Mpunga. 1: Kuchokera ku El Confidencial ponena za kuwukira kwa Ryuk ransomware [1]
Mpunga. 2: Kuchokera ku El PaΓs za kuwukira komwe kunachitika pogwiritsa ntchito Ryuk ransomware [2]
Chaka chino, Ryuk adaukira makampani ambiri m'mayiko osiyanasiyana. Monga mukuwonera m'ziwerengero zomwe zili pansipa, Germany, China, Algeria ndi India ndiwo adakhudzidwa kwambiri.
Poyerekeza kuchuluka kwa ziwonetsero za cyber, titha kuwona kuti Ryuk yakhudza mamiliyoni a ogwiritsa ntchito ndikusokoneza kuchuluka kwa data, zomwe zidabweretsa kuwonongeka kwakukulu kwachuma.
Mpunga. 3: Chithunzi cha zochita za Ryuk padziko lonse lapansi.
Mpunga. 4: Maiko a 16 omwe akhudzidwa kwambiri ndi Ryuk
Mpunga. 5: Chiwerengero cha ogwiritsa ntchito omwe adawukiridwa ndi Ryuk ransomware (mu mamiliyoni)
Malinga ndi kachitidwe kachitidwe kachitidwe ka ziwopsezo zotere, chiwombolo ichi, chikamaliza kubisa, chimawonetsa wozunzidwayo chidziwitso cha chiwombolo chomwe chiyenera kulipidwa mu bitcoins ku adilesi yotchulidwa kuti abwezeretse mwayi wamafayilo osungidwa.
Pulogalamu yaumbandayi yasintha kuyambira pomwe idayambitsidwa.
Kusiyana kwa chiwopsezo chomwe chawunikidwa mu chikalatachi chidapezeka pakuyesa kuwukira mu Januware 2020.
Chifukwa chazovuta zake, pulogalamu yaumbandayi nthawi zambiri imapangidwa ndi magulu ochita zigawenga apakompyuta, omwe amadziwikanso kuti magulu a APT.
Mbali ya Ryuk code ili ndi mawonekedwe ofanana ndi code ndi mapangidwe a ransomware ina yodziwika bwino, Hermes, yomwe amagawana nawo ntchito zingapo zofanana. Ichi ndichifukwa chake Ryuk poyamba adalumikizidwa ndi gulu la North Korea Lazaro, lomwe panthawiyo linkaganiziridwa kuti ndilo kumbuyo kwa Hermes ransomware.
Ntchito ya CrowdStrike's Falcon X pambuyo pake idazindikira kuti Ryuk idapangidwa ndi gulu la WIZARD SPIDER [4].
Pali umboni wina wotsimikizira maganizo amenewa. Choyamba, ransomware iyi idalengezedwa patsamba la exploit.in, lomwe ndi msika wodziwika bwino wa pulogalamu yaumbanda yaku Russia ndipo idalumikizidwa kale ndi magulu ena aku Russia a APT.
Izi zimatsutsa chiphunzitso chakuti Ryuk akanatha kupangidwa ndi gulu la Lazaro APT, chifukwa sizikugwirizana ndi momwe gulu limagwirira ntchito.
Kuonjezera apo, Ryuk adalengezedwa ngati chiwombolo chomwe sichidzagwira ntchito pa machitidwe a Russia, Ukraine ndi Belarusian. Khalidweli limatsimikiziridwa ndi gawo lomwe limapezeka m'matembenuzidwe ena a Ryuk, pomwe limayang'ana chilankhulo cha dongosolo lomwe ransomware ikuyendetsa ndikuyimitsa kuti isagwire ntchito ngati pulogalamuyo ili ndi chilankhulo cha Chirasha, Chiyukireniya kapena Chibelarusi. Pomaliza, katswiri wofufuza makina omwe adabedwa ndi gulu la WIZARD SPIDER adawulula "zambiri" zingapo zomwe akuti zidagwiritsidwa ntchito popanga Ryuk ngati mtundu wa Hermes ransomware.
Kumbali inayi, akatswiri Gabriela Nicolao ndi Luciano Martins adanena kuti chiwombolo chikhoza kupangidwa ndi gulu la APT CryptoTech [5].
Izi zikutsatira kuti miyezi ingapo isanawonekere Ryuk, gululi lidatumiza zambiri pabwalo la tsamba lomwelo kuti adapanga mtundu watsopano wa Hermes ransomware.
Ogwiritsa ntchito angapo amakayikira ngati CryptoTech idapangadi Ryuk. Gululo linadziteteza ndipo linanena kuti linali ndi umboni wosonyeza kuti adapanga 100% ya ransomware.
2. Makhalidwe
Timayamba ndi bootloader, yomwe ntchito yake ndiyo kuzindikira dongosolo lomwe liri kuti "lolondola" la Ryuk ransomware liyambe kukhazikitsidwa.
The bootloader hash ndi motere:
MD5 A73130B0E379A989CBA3D695A157A495
SHA256 EF231EE1A2481B7E627921468E79BB4369CCFAEB19A575748DD2B664ABC4F469
Chimodzi mwa zinthu za downloader ndi kuti lilibe metadata, mwachitsanzo. Opanga pulogalamu yaumbandayi sanaphatikizepo chidziwitso chilichonse.
Nthawi zina amaphatikiza data yolakwika kuti anyenge wogwiritsa kuganiza kuti akuyendetsa pulogalamu yovomerezeka. Komabe, monga momwe tidzaonera pambuyo pake, ngati matendawa sakukhudzana ndi kuyanjana kwa ogwiritsa ntchito (monga momwe zilili ndi ransomware iyi), ndiye kuti otsutsa samawona kuti n'koyenera kugwiritsa ntchito metadata.
Mpunga. 6: Zitsanzo za Meta Data
Chitsanzocho chinapangidwa mumtundu wa 32-bit kuti chizitha kugwira ntchito pa machitidwe onse a 32-bit ndi 64-bit.
3. Vector yolowera
Zitsanzo zomwe zimatsitsa ndikuyendetsa Ryuk zidalowa m'dongosolo lathu kudzera pa intaneti yakutali, ndipo magawo ofikira adapezedwa kudzera pakuwukira koyambirira kwa RDP.
Mpunga. 7: Kaundula wa Attack
Wowukirayo adatha kulowa mudongosolo lakutali. Pambuyo pake, adapanga fayilo yotheka ndi chitsanzo chathu.
Fayilo yomwe ingagwiritsidwe ntchitoyi idatsekedwa ndi njira ya antivayirasi musanayendetse.
Mpunga. 8: Loko lachitsanzo
Mpunga. 9: Loko lachitsanzo
Fayilo yoyipayo itatsekedwa, wowukirayo anayesa kutsitsa mtundu wobisika wa fayilo yomwe ikuyenera kuchitika, yomwe idatsekedwanso.
Mpunga. 10: Zitsanzo zomwe wowukirayo anayesa kuthamanga
Pomaliza, adayesa kutsitsa fayilo ina yoyipa kudzera pakompyuta yosungidwa
PowerShell yolambalala chitetezo cha antivayirasi. Koma adaletsedwanso.
Mpunga. 11: PowerShell yokhala ndi zoyipa zoletsedwa
Mpunga. 12: PowerShell yokhala ndi zoyipa zoletsedwa
4. Chotsitsa
Ikachita, imalemba fayilo ya ReadMe kufoda % temp%, zomwe zimafanana ndi Ryuk. Fayilo iyi ndi chiwombolo chokhala ndi adilesi ya imelo mu domain ya protonmail, yomwe ili yofala kwambiri m'banja la pulogalamu yaumbanda: [imelo ndiotetezedwa]
Mpunga. 13: Kufuna Dipo
Pomwe bootloader ikugwira ntchito, mutha kuwona kuti imayambitsa mafayilo angapo omwe angathe kuchitidwa ndi mayina mwachisawawa. Amasungidwa mufoda yobisika KULUMIRA, koma ngati njirayo sikugwira ntchito mu opareshoni "Onetsani mafayilo obisika ndi zikwatu", pamenepo adzakhala obisika. Komanso, mafayilowa ndi 64-bit, mosiyana ndi fayilo ya makolo, yomwe ndi 32-bit.
Mpunga. 14: Mafayilo otheka oyambitsidwa ndi zitsanzo
Monga mukuwonera pa chithunzi pamwambapa, Ryuk imayambitsa icacls.exe, yomwe idzagwiritsidwe ntchito kusintha ma ACL onse (mindandanda yowongolera ma Access), motero kuonetsetsa mwayi ndi kusinthidwa kwa mbendera.
Imapeza mwayi wokwanira pansi pa ogwiritsa ntchito onse ku mafayilo onse pazida (/T) mosasamala kanthu za zolakwika (/C) komanso osawonetsa mauthenga aliwonse (/Q).
Mpunga. 15: Zochita za icacls.exe zoyambitsidwa ndi chitsanzo
Ndikofunika kudziwa kuti Ryuk amayang'ana mtundu wa Windows womwe mukuyendetsa. Kwa ichi iye
imagwiritsa ntchito cheke cha mtundu GetVersionExW, momwe imawunika mtengo wa mbendera lpVersionInformationkuwonetsa ngati mtundu waposachedwa wa Windows ndi watsopano kuposa Windows XP.
Kutengera ngati mukugwiritsa ntchito mtundu mochedwa kuposa Windows XP, chojambulira boot chidzalembera ku foda ya komweko - pakadali pano ku foda. %Pagulu%.
Mpunga. 17: Kuyang'ana mawonekedwe ogwiritsira ntchito
Fayilo yomwe ikulembedwa ndi Ryuk. Kenako imayendetsa, ndikudutsa adilesi yake ngati parameter.
Mpunga. 18: Pangani Ryuk kudzera pa ShellExecute
Chinthu choyamba chimene Ryuk amachita ndi kulandira magawo olowera. Nthawi ino pali magawo awiri olowera (chomwe chikhoza kuchitika chokha ndi adilesi ya dropper) chomwe chimagwiritsidwa ntchito kuchotsa zotsalira zake.
Mpunga. 19: Kupanga Njira
Mutha kuwonanso kuti ikangoyendetsa zoyeserera zake, imadzichotsa yokha, motero imasiya kuwonetsa kukhalapo kwake mufoda yomwe idachitidwira.
Mpunga. 20: Kuchotsa fayilo
5. RYUK
5.1 Kukhalapo
Ryuk, monga pulogalamu yaumbanda ina, amayesa kukhalabe padongosolo kwa nthawi yayitali momwe angathere. Monga tawonera pamwambapa, njira imodzi yokwaniritsira cholinga ichi ndikupanga mwachinsinsi ndikuyendetsa mafayilo omwe angathe kuchitika. Kuti muchite izi, zomwe zimachitika kwambiri ndikusintha kiyi ya registry Kuthamangira.
Pankhaniyi, mutha kuwona kuti pachifukwa ichi fayilo yoyamba kukhazikitsidwa VWjRF.exe
(dzina lafayilo limapangidwa mwachisawawa) zimayambitsidwa cmd.exe.
Mpunga. 21: Kuchita VWjRF.exe
Kenako lowetsani lamulo RUN Ndi dzina"svchos". Choncho, ngati mukufuna kuyang'ana makiyi a registry nthawi iliyonse, mukhoza kuphonya kusintha kumeneku mosavuta, chifukwa cha kufanana kwa dzinali ndi svchost. Chifukwa cha fungulo ili, Ryuk amatsimikizira kukhalapo kwake mu dongosolo. Ngati dongosolo silinakhalepo. yet been infection , ndiye mukayambitsanso dongosolo, executable adzayesanso.
Mpunga. 22: Zitsanzo zimatsimikizira kupezeka mu kiyi ya registry
Titha kuwonanso kuti izi zimayimitsa mautumiki awiri:
"audioendpointbuilder", zomwe, monga dzina lake likusonyezera, zimafanana ndi audio audio,
Mpunga. 23: Zitsanzo zimayimitsa ntchito yomvera
ΠΈ Samss, yomwe ndi ntchito yoyang'anira akaunti. Kuyimitsa mautumiki awiriwa ndi khalidwe la Ryuk. Pankhaniyi, ngati dongosololi likugwirizana ndi dongosolo la SIEM, ransomware imayesa kusiya kutumiza
Mpunga. 24: Zitsanzo zimayimitsa ntchito ya Samss
5.2 Mwayi
Nthawi zambiri, Ryuk imayamba ndikuyenda mozungulira pa intaneti kapena imayambitsidwa ndi pulogalamu ina yaumbanda monga
Zisanachitike, monga chiyambi cha ndondomeko yoyendetsera ntchito, tikumuwona akugwira ntchitoyi Dziyeseni, zomwe zikutanthauza kuti zomwe zili muchitetezo cha chizindikiro chofikira zidzaperekedwa kumtsinje, komwe zidzabwezedwanso nthawi yomweyo GetCurrentThread.
Mpunga. 25: Itanani Kuti Dziyeseni
Kenako tikuwona kuti iphatikiza chizindikiro chofikira ndi ulusi. Tikuwonanso kuti imodzi mwa mbendera ndi DesiredAccess, yomwe ingagwiritsidwe ntchito kulamulira mwayi umene ulusi udzakhala nawo. Pamenepa mtengo womwe edx udzalandira uyenera kukhala TOKEN_ALL_ACESS kapena ayi- TOKEN_LEMBA.
Mpunga. 26: Kupanga Chizindikiro Choyenda
Kenako adzagwiritsa ntchito SeDebugPrivilege ndipo adzayimba foni kuti apeze zilolezo za Debug pa ulusi, zomwe zimabweretsa PROCESS_ALL_ACCESS, adzatha kupeza njira iliyonse yofunikira. Tsopano, popeza encryptor ali kale ndi mtsinje wokonzeka, zomwe zatsala ndikupitilira gawo lomaliza.
Mpunga. 27: Kuyitana SeDebugPrivilege ndi Ntchito Yokweza Mwayi
Kumbali imodzi, tili ndi LookupPrivilegeValueW, yomwe imatipatsa chidziwitso chofunikira chokhudza mwayi womwe tikufuna kuwonjezera.
Mpunga. 28: Pemphani zambiri zamwayi kuti muwonjezere mwayi
Kumbali ina, tatero KusinthaTokenPrivileges, zomwe zimatilola kupeza ufulu wofunikira pamtsinje wathu. Pankhaniyi, chofunika kwambiri ndi NewState, amene mbendera yawo idzapereka mwayi.
Mpunga. 29: Kukhazikitsa zilolezo za chizindikiro
5.3 Kukhazikitsa
M'chigawo chino, tiwonetsa momwe chitsanzocho chimagwirira ntchito zomwe zatchulidwa kale mu lipotili.
Cholinga chachikulu cha ndondomeko yoyendetsera ntchito, komanso kukwera, ndikupeza mwayi makope amthunzi. Kuti achite izi, ayenera kugwira ntchito ndi ulusi wokhala ndi ufulu wapamwamba kuposa wa wogwiritsa ntchito wamba. Ikapeza maufulu okwezeka oterowo, imachotsa makope ndikusintha njira zina kuti zitheke kubwereranso kumalo obwezeretsa koyambirira pamakina opangira.
Monga momwe zimakhalira ndi mtundu uwu wa pulogalamu yaumbanda, imagwiritsa ntchito CreateToolHelp32Snapshotkotero zimatengera chithunzithunzi cha zomwe zikuchitika pano ndikuyesa kupeza njirazo pogwiritsa ntchito OpenProcess. Akapeza mwayi wopita ku ndondomekoyi, amatsegulanso chizindikiro ndi chidziwitso chake kuti apeze magawo a ndondomekoyi.
Mpunga. 30: Kupeza njira kuchokera pakompyuta
Titha kuwona momwe zimakhalira ndi mndandanda wazomwe zikuyenda mu 140002D9C pogwiritsa ntchito CreateToolhelp32Snapshot. Atawalandira, amadutsa mndandandawo, kuyesera kutsegula njira imodzi ndi imodzi pogwiritsa ntchito OpenProcess mpaka atapambana. Pankhaniyi, njira yoyamba yomwe adatha kutsegula inali "taskhost.exe".
Mpunga. 31: Pangani Mwamphamvu Njira Yopezera Njira
Titha kuwona kuti pambuyo pake imawerenga zambiri zachitsimikizo, motero imayitanitsa OpenProcessToken ndi parameter"20008"
Mpunga. 32: Werengani zambiri za zizindikiro za ndondomeko
Imayang'ananso kuti njira yomwe idzabayidwe sichiri adms.exe, Explorer.exe, lsaas.exe kapena kuti ali ndi mndandanda wa maufulu NT ulamuliro.
Mpunga. 33: Njira zosaphatikizidwa
Titha kuwona momwe zimayambira cheke pogwiritsa ntchito zidziwitso za token Mtengo wa 140002D9C kuti mudziwe ngati akaunti yomwe ufulu wake ukugwiritsidwa ntchito pochita ndondomeko ndi akaunti NT ULAMULIRO.
Mpunga. 34: NT AUTHORITY fufuzani
Ndipo pambuyo pake, kunja kwa ndondomekoyi, amafufuza kuti izi siziri csrss.exe, explorer.exe kapena lsaas.exe.
Mpunga. 35: NT AUTHORITY fufuzani
Akatenga chithunzithunzi cha njirazo, adatsegula njirazo, ndikutsimikizira kuti palibe m'modzi mwa iwo amene sakuchotsedwa, ali wokonzeka kulemba kukumbukira njira zomwe zidzabayidwe.
Kuti muchite izi, choyamba imasunga malo mu kukumbukira (VirtualAllocEx), akulemba mmenemo (WriteProcessmemory) ndikupanga ulusi (PanganiRemoteThread). Kuti igwire ntchito ndi izi, imagwiritsa ntchito ma PID a njira zosankhidwa, zomwe idazipeza kale CreateToolhelp32Snapshot.
Mpunga. 36: Ikani kodi
Apa titha kuwona momwe imagwiritsira ntchito njira ya PID kuyitanira ntchitoyi VirtualAllocEx.
Mpunga. 37: Imbani VirtualAllocEx
5.4 Kubisa
Mu gawoli, tiwona gawo la kubisa lachitsanzochi. Pachithunzi chotsatira mutha kuwona ma subroutines awiri otchedwa "LoadLibrary_EncodeString"ndi"Encode_Func", omwe ali ndi udindo wochita ndondomeko yachinsinsi.
Mpunga. 38: Njira zolembera
Pachiyambi titha kuwona momwe imakwezera chingwe chomwe pambuyo pake chidzagwiritsidwa ntchito kusokoneza chilichonse chomwe chikufunika: zotuluka kunja, ma DLL, malamulo, mafayilo ndi ma CSP.
Mpunga. 39: Deobfuscation dera
Chithunzi chotsatirachi chikuwonetsa kulowetsa koyamba komwe kumasokoneza mu kaundula R4. Katundu Wamakalata. Izi zidzagwiritsidwa ntchito pambuyo pake kutsegula ma DLL ofunikira. Titha kuwonanso mzere wina mu registry R12, yomwe imagwiritsidwa ntchito limodzi ndi mzere wam'mbuyo kuti tichite deobfuscation.
Mpunga. 40: Dynamic deobfuscation
Ikupitilira kutsitsa malamulo omwe idzayendetse pambuyo pake kuletsa zosunga zobwezeretsera, kubwezeretsa mfundo, ndi njira zotetezeka zoyambira.
Mpunga. 41: Kutsegula malamulo
Kenako imadzaza malo omwe idzagwetse mafayilo a 3: Windows.bat, run.sc ΠΈ yambani.bat.
Mpunga. 42: Malo Afayilo
Mafayilo atatuwa amagwiritsidwa ntchito kuyang'ana mwayi womwe malo aliwonse ali nawo. Ngati mwayi wofunikira sukupezeka, Ryuk amasiya kupha.
Ikupitilira kutsitsa mizere yofananira ndi mafayilo atatu. Choyamba, DECRYPT_INFORMATION.html, lili ndi zambiri zofunika kuti achire owona. Chachiwiri, KULUMIRA, ili ndi kiyi ya anthu onse ya RSA.
Mpunga. 43: Mzere DECRYPT INFORMATION.html
Chachitatu, UNIQUE_ID_DO_NOT_REMOVE, ili ndi kiyi yobisidwa yomwe idzagwiritsidwe ntchito munjira yotsatira polemba.
Mpunga. 44: Mzere UNIQUE ID OSACHOTSA
Pomaliza, imatsitsa malaibulale ofunikira pamodzi ndi zofunikira kuchokera kunja ndi ma CSP (Microsoft Enhanced RSA ΠΈ AES Cryptographic Wopereka).
Mpunga. 45: Kutsegula malaibulale
Deobfuscation ikamalizidwa, imapitilira kuchita zomwe zimafunikira pakubisa: kuwerengera zoyendetsa zonse zomveka, kuchita zomwe zidakwezedwa m'mbuyomu, kulimbikitsa kupezeka kwadongosolo, kuponyera fayilo ya RyukReadMe.html, kubisa, kuwerengera ma drive onse a netiweki. , kusintha kwa zida zodziwika ndi kubisa kwake.
Zonse zimayamba ndikutsitsa"cmd.exe" ndi RSA public key records.
Mpunga. 46: Kukonzekera kubisa
Kenako imapeza ma drive onse omveka pogwiritsa ntchito GetLogicalDrives ndikuletsa zosunga zobwezeretsera zonse, kubwezeretsanso mfundo ndi njira zotetezeka zoyambira.
Mpunga. 47: Kuletsa zida zobwezeretsa
Pambuyo pake, imalimbitsa kukhalapo kwake mu dongosolo, monga tawonera pamwambapa, ndikulemba fayilo yoyamba RyukReadMe.html Π² TEMP.
Mpunga. 48: Kusindikiza chidziΕ΅itso cha dipo
Pachithunzi chotsatirachi mutha kuwona momwe imapangira fayilo, kutsitsa zomwe zilimo ndikuzilemba:
Mpunga. 49: Kutsitsa ndikulemba zomwe zili mufayilo
Kuti athe kuchita zofanana pazida zonse, amagwiritsa ntchito
"icacls.exe", monga tawonetsera pamwambapa.
Mpunga. 50: Kugwiritsa ntchito icalcls.exe
Ndipo potsirizira pake, imayamba kubisa mafayilo kupatulapo "* .exe", "* .dll" mafayilo, mafayilo amtundu ndi malo ena otchulidwa mu mawonekedwe a mndandanda woyera. Kuti achite izi, amagwiritsa ntchito zolowa kunja: CryptAcquireContextW (kumene kugwiritsidwa ntchito kwa AES ndi RSA kwatchulidwa), CryptDeriveKey, CryptGenKey, CryptDestroyKey ndi zina. Imayesanso kukulitsa kufikira kwa zida zopezeka pa intaneti pogwiritsa ntchito WNetEnumResourceW ndikuzibisa.
Mpunga. 51: Kubisa mafayilo amachitidwe
6. Kutumiza kunja ndi mbendera zofananira
Pansipa pali tebulo lomwe lili ndi zinthu zofunika kwambiri kuchokera kunja ndi mbendera zomwe zimagwiritsidwa ntchito ndi zitsanzo:
7. IOC
powatsimikizira
- usersPublicrun.sc
- Yambitsani MenuProgramsStartupstart.bat AppDataRoamingMicrosoftWindowsStart
- MenuProgramsStartupstart.bat
Lipoti laukadaulo la Ryuk ransomware linapangidwa ndi akatswiri ochokera ku labotale ya antivayirasi PandaLabs.
8. Maulalo
1. "Everis y Prisa Radio sufren un grave ciberataque que secuestra sus sistemas."https://www. elconfidencial.com/tecnologia/2019-11-04/everis-la-ser-ciberataque-ransomware-15_2312019/, Publicada el 04/11/2019.
2. "Un virus de origen ruso ataca a importantes empresas espaΓ±olas." https://elpais.com/tecnologia/2019/11/04/actualidad/1572897654_ 251312.html, Publicada el 04/11/2019.
3. "Pepala la VB2019: Kubwezera kwa Shinigami: mchira wautali wa pulogalamu yaumbanda ya Ryuk." https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/, Publicada el 11 /12/2019
4. "Kusaka Masewera Aakulu ndi Ryuk: Chiwombolo China Chopindulitsa Kwambiri."https://www. crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/, Publicada el 10/01/2019.
5. "Pepala la VB2019: Kubwezera kwa Shinigami: mchira wautali wa pulogalamu yaumbanda ya Ryuk." https://www. virusbulletin.com/virusbulletin/2019/10/ vb2019-paper-shinigamis-revenge-long-tail-r
Source: www.habr.com