I-Ryuk ingenye yezinhlobo ezaziwa kakhulu ze-ransomware zeminyaka embalwa edlule. Selokhu yaqala ukubonakala ehlobo lika-2018, isiqongelele , ikakhulukazi endaweni yebhizinisi, okuyiyona nto eyinhloko yokuhlaselwa kwakhe.
1. Ulwazi olujwayelekile
Lo mbhalo uqukethe ukuhlaziya okuhlukile kwe-Ryuk ransomware, kanye nesilayishi esinesibopho sokulayisha i-malware ohlelweni.
I-Ryuk ransomware ivele okokuqala ehlobo lika-2018. Omunye umehluko phakathi kwe-Ryuk nenye i-ransomware ukuthi ihloselwe ukuhlasela izindawo zezinkampani.
Maphakathi no-2019, amaqembu obugebengu bamakhompiyutha ahlasele inqwaba yezinkampani zaseSpain zisebenzisa le nhlengo.
Umfanekiso 1: Ingcaphuno evela ku-El Confidencial mayelana nokuhlasela kwe-Ryuk ransomware [1]
Umfanekiso wesi-2: Ingcaphuno evela ku-El País mayelana nokuhlasela okwenziwa kusetshenziswa i-Ryuk ransomware [2]
Kulo nyaka, uRyuk uhlasele inqwaba yezinkampani emazweni ahlukahlukene. Njengoba ubona ezibalweni ezingezansi, iJalimane, iChina, i-Algeria, ne-India yizona ezishayeke kakhulu.
Uma siqhathanisa nenani lokuhlaselwa ku-inthanethi, siyabona ukuthi i-Ryuk ithinte izigidi zabasebenzisi futhi yafaka engcupheni inani elikhulu ledatha, okubangele umonakalo omkhulu wezomnotho.
Umfanekiso 3: Umfanekiso womsebenzi womhlaba ka-Ryuk.
Umfanekiso 4: Amazwe we-16 athinteke kakhulu yi-Ryuk
Umfanekiso 5: Inombolo yabasebenzisi abahlaselwe i-Ryuk ransomware (ngezigidi)
Njengoba kuvamile ezinsongweni ezinjalo, ngemva kokuba ukubethela sekuqediwe, i-ransomware ibonisa inothi lesihlengo kumuntu ohlukunyeziwe, okufanele likhokhwe nge-Bitcoin ekhelini elishiwo ukuze kubuyiselwe ukufinyelela kumafayela abethelwe.
Lolu hlelo olungayilungele ikhompuyutha lushintshile kusukela lwaqala ukuvela.
Okuhlukile kwalokhu kusongela okuhlaziywe kuleli phepha kutholwe ngesikhathi kuzanywa ukuhlasela ngoJanuwari 2020.
Ngenxa yobunkimbinkimbi bayo, lolu hlelo olungayilungele ikhompuyutha luvamise ukuthintwa amaqembu obugebengu bamakhompuyutha ahleliwe, aziwa nangokuthi amaqembu e-APT.
Enye yekhodi ye-Ryuk inokufana okuphawulekayo nekhodi kanye nesakhiwo solunye uhlelo oludumile lwe-ransomware, i-Hermes, eyabelana ngayo ngemisebenzi eminingana. Yingakho u-Ryuk ekuqaleni exhunywe neqembu laseNyakatho Korea uLazarus, okwakusolwa ngesikhathi sokuba ngemuva kweHermes ransomware.
Isevisi ye-CrowdStrike's Falcon X kamuva yaqaphela ukuthi i-Ryuk empeleni yadalwa iqembu le-WIZARD SPIDER [4].
Kunobufakazi obuningi obusekela lo mcabango. Okokuqala, le ransomware yakhangiswa kuwebhusayithi ethi exploit.in, indawo yemakethe eyaziwa kakhulu yohlelo olungayilungele ikhompuyutha yaseRussia ngaphambilini eyayihlotshaniswa namaqembu amaningana ase-Russian APT.
Leli qiniso likhipha umbono wokuthi i-Ryuk kungenzeka ukuthi yasungulwa yiqembu le-APT uLazaru, njengoba ingahambisani nesitayela sokusebenza seqembu.
Ngaphezu kwalokho, i-Ryuk yakhangiswa njenge-ransomware engeke isebenze ezinhlelweni zesiRashiya, zase-Ukraine, noma zaseBelarusian. Lokhu kuziphatha kungenxa yomsebenzi otholakala kwezinye izinguqulo ze-Ryuk ohlola ulimi lwesistimu esebenzisa i-ransomware futhi iyimise uma isistimu isebenzisa isi-Russian, isi-Ukrainian, noma isi-Belarusian. Ekugcineni, ukuhlaziya kochwepheshe bomshini ogetshengwe yiqembu le-WIZARD SPIDER kwembule "ama-artifact" ambalwa okungenzeka ukuthi asetshenziswa ekuthuthukisweni kwe-Ryuk njengokuhlukile kwe-Hermes ransomware.
Ngakolunye uhlangothi, ochwepheshe uGabriela Nicolao kanye no-Luciano Martins baphakamise ukuthi i-ransomware kungenzeka ithuthukiswe yiqembu le-APT CryptoTech [5].
Lokhu kulandela ukuthi ezinyangeni ezimbalwa ngaphambi kokuba u-Ryuk avele, leli qembu lithumele kunkundla yesayithi efanayo ukuthi lithuthukise inguqulo entsha ye-Hermes ransomware.
Abasebenzisi abaningi bezinkundla babuze ukuthi ngabe i-CryptoTech idale ngempela i-Ryuk. Ngemuva kwalokho leli qembu lazivikela lathi linobufakazi obufakazela ukuthi lenze u-100% we-ransomware.
2. Izici
Siqala nge-bootloader, umsebenzi wayo ukukhomba isistimu ekhona ukuze inguqulo "elungile" ye-Ryuk ransomware ikwazi ukusebenza.
I-hash ye-bootloader imi kanje:
MD5 A73130B0E379A989CBA3D695A157A495
SHA256 EF231EE1A2481B7E627921468E79BB4369CCFAEB19A575748DD2B664ABC4F469
Esinye sezici zalesi silandisi ukuthi asiqukethe imethadatha, okungukuthi abadali balolu hlelo olungayilungele ikhompuyutha abazange bafake noma yiluphi ulwazi kuyo.
Kwesinye isikhathi zifaka idatha eyiphutha ukukhohlisa umsebenzisi ukuthi acabange ukuthi wethula uhlelo lokusebenza olusemthethweni. Nokho, njengoba sizobona kamuva, uma ukutheleleka kungadingi ukusebenzisana komsebenzisi (njengoba kunjalo ngale ransomware), abahlaseli abakuboni kudingekile ukusebenzisa imethadatha.
Umdwebo 6: Isampula yemethadatha
Isampula yahlanganiswa ngefomethi ye-32-bit ukuze isebenze kuzo zombili izinhlelo ze-32-bit kanye ne-64-bit.
3. I-vector yokungena
Isampula elanda futhi iqalise i-Ryuk ingene kusistimu yethu ngoxhumo olukude, futhi imininingwane itholwe ngokuhlaselwa kwe-RDP kokuqala.
Umdwebo 7: Ukubhaliswa kokuhlasela
Umhlaseli ukwazile ukungena kusistimu ekude. Ngemva kwalokho, badale ifayela elisebenzisekayo eliqukethe isampula yethu.
Leli fayela elisebenzisekayo lavinjwa isixazululo se-antivirus ngaphambi kokusebenza.
Umfanekiso 8: Ukuvinjwa kwesampula
Umfanekiso 9: Ukuvinjwa kwesampula
Lapho ifayela elinonya selikhiyiwe, umhlaseli uzame ukulanda inguqulo ebethelwe yefayela elisebenzisekayo, nalo elikhiyiwe.
Umfanekiso 10: Isethi yamasampuli umhlaseli azame ukuwaqhuba
Ekugcineni, wazama ukulanda elinye ifayela elinonya ngekhonsoli ebethelwe.
I-PowerShell isetshenziselwe ukudlula ukuvikelwa kwe-antivirus. Kodwa kwabuye kwavinjwa.
Umfanekiso 11: I-PowerShell enokuqukethwe okunonya kuvinjiwe
Umfanekiso 12: I-PowerShell enokuqukethwe okunonya kuvinjiwe
4. Isilayishi
Uma isebenza, ibhala ifayela le-ReadMe kufolda % temp%, okuyinto evamile ye-Ryuk. Leli fayela linothi lesihlengo eliqukethe ikheli le-imeyili kusizinda se-protonmail, okuyinto evamile kulo mndeni wohlelo olungayilungele ikhompuyutha: msifelabem1981@protonmail.com
Umfanekiso 13: Isidingo sesihlengo
Ngenkathi isilandi sisebenza, ungase uqaphele ukuthi sethula amafayela amaningana asebenzisekayo anamagama angahleliwe. Agcinwe kufolda efihliwe. UMPHAKATHI, kodwa uma inketho ingasebenzi ohlelweni lokusebenza Bonisa amafayela namafolda afihliwe, bayohlala befihliwe. Ngaphezu kwalokho, lawa mafayela angama-64-bit, ngokungafani nefayela elingumzali, elingu-32-bit.
Umfanekiso 14: Amafayela asebenzisekayo aqaliswe isampula
Njengoba ubona esithombeni esingenhla, i-Ryuk isebenzisa icacls.exe ezosetshenziselwa ukuguqula wonke ama-ACL (uhlu lokulawula ukufinyelela), ngaleyo ndlela iqinisekise ukufinyelela kanye nokumaka izinguquko.
Ithola ukufinyelela okugcwele ngaphansi kwabo bonke abasebenzisi kuwo wonke amafayela kudivayisi (/T), kungakhathaliseki amaphutha (/C) nangaphandle kokubonisa noma yimiphi imilayezo (/Q).
Umfanekiso 15: Amapharamitha wokusebenzisa we-icacls.exe aqaliswe isampula
Kubalulekile ukuqaphela ukuthi uRyuk uhlola ukuthi iyiphi inguqulo esebenzayo WindowsNgenxa yalokhu
yenza ukuhlola kwenguqulo isebenzisa I-GetVersionExW, lapho ihlola inani lefulegi lpVersionInformation, okubonisa ukuthi inguqulo yamanje injalo Windows kamuva kune Windows XP.
Kuye ngokuthi usebenzisa inguqulo yakamuva yini kune Windows XP, i-bootloader izobhalela kufolda yomsebenzisi wendawo - kulokhu, kufolda %Umphakathi%.
Umfanekiso 17: Ukuhlola inguqulo yesistimu yokusebenza
Ifayela elibhalwayo lithi Ryuk. Ibe isiyiqhuba, idlulise ikheli layo njengepharamitha.
Umfanekiso 18: Ukusebenzisa i-Ryuk nge-ShellExecute
Into yokuqala eyenziwa nguRyuk ukuthola amapharamitha wokufaka. Ngalesi sikhathi, kunezinhlaka ezimbili zokufaka (okusebenzisekayo ngokwako kanye nekheli le-dropper), ezisetshenziselwa ukususa iminonjana yayo.
Umfanekiso 19: Ukudala inqubo
Ungabona futhi ukuthi uma isisebenzise okusebenzisekayo, iyazisusa, ngaleyo ndlela ingashiyi nakancane ukuthi ikhona kufolda lapho ibulawelwe khona.
Umfanekiso 20: Ukususa ifayela
5. I-RYUK
5.1 Ubukhona
I-Ryuk, njengenye i-malware, izama ukuhlala ohlelweni isikhathi eside ngangokunokwenzeka. Njengoba kuboniswe ngenhla, enye indlela yokufeza lokhu iwukwenza isinyenyela nokusebenzisa amafayela asebenzisekayo. Indlela ejwayeleke kakhulu yalokhu ukulungisa ukhiye wokubhalisa. CurrentVersionRun.
Kulokhu, ungabona ukuthi ifayela lokuqala okufanele abulawe le njongo VWjRF.exe
(igama lefayela likhiqizwa ngokungahleliwe) iqalisa cmd.exe.
Umfanekiso 21: Ukusebenzisa ifayela le-VWjRF.exe
Bese kufakwa umyalo RUN negama"svchos". Ngakho-ke, uma uhlola okhiye bakho bokubhalisa nganoma isiphi isikhathi, ungase uphuthelwe kalula lolu shintsho, uma unikezwe ukufana kwaleli gama ku-svchost. U-Ryuk usebenzisa lesi sihluthulelo ukuze aqinisekise ubukhona baso ohlelweni. Uma isistimu ingakatheleleki, ifayela elisebenzisekayo lizozama futhi uma uqalisa kabusha.
Umdwebo 22: Isampuli iqinisekisa ubukhona kukhiye wokubhalisa
Singabona futhi ukuthi lokhu okusebenzisekayo kumisa izinsizakalo ezimbili:
"audioendpointbuilder", okuyinto, njengoba igama layo liphakamisa, ihambisana nomsindo wesistimu,
Umfanekiso 23: Isampuli imisa isevisi yomsindo wesistimu
и samss, okuyisevisi yokuphatha i-akhawunti. Ukumisa lezi zinsizakalo ezimbili kuyisici se-Ryuk. Kulesi simo, uma isistimu ixhunywe kusistimu ye-SIEM, i-ransomware izama ukuyeka ukuthumela Azikho izexwayiso ezikhishwayo. Lokhu kuvikela izinyathelo zakhe ezilandelayo, njengoba ezinye izinsizakalo ze-SAM zingeke zikwazi ukuqala kahle ngemva kokubulawa kuka-Ryuk.
Umfanekiso 24: Isampula imisa isevisi ye-Samss
5.2 Amalungelo
Ngokuvamile, i-Ryuk iqala ngokuhamba eceleni kwenethiwekhi noma yethulwa enye uhlelo olungayilungele ikhompuyutha njenge noma , okuthi, uma kwenzeka kukhuphuka ilungelo, idlulisele lawa malungelo aphakeme ku-ransomware.
Ngaphambili, njengesandulela senqubo yokuqaliswa, simbona enza inqubo Zifanise, okusho ukuthi okuqukethwe kokuvikeleka kwethokheni yokufinyelela kuzodluliselwa emfudlaneni, lapho kuzolandwa khona ngokushesha GetCurrentThread.
Umfanekiso 25: Ukushayela Uzenza Ongeyena
Bese sibona ukuthi izohlobanisa ithokheni yokufinyelela nokugeleza. Siyabona futhi ukuthi elinye lamafulegi li I-DesiredAccess, engasetshenziswa ukulawula ukufinyelela uchungechunge oluzoba nalo. Kulokhu, inani elizotholwa yi-edx kufanele libe TOKEN_ALL_ACESS noma ngenye indlela - TOKEN_BHALA.
Ilayisi. 26: Ukudala Ithokheni Egelezayo
Khona-ke uzosebenzisa I-SeDebugPrivilege futhi uzokwenza ucingo ukuze athole izimvume zokususa iphutha kuchungechunge, ngenxa yalokho, ngokucacisa PROCESS_ALL_ACCESS, izokwazi ukufinyelela kunoma iyiphi inqubo edingekayo. Manje, njengoba i-ransomware isivele inomfudlana olungiselelwe, okusele wukuqhubekela esigabeni sokugcina.
Umfanekiso 27: Ucingo lwe-SeDebugPrivilege kanye nomsebenzi wokwenyusa amalungelo
Ngakolunye uhlangothi, sine LookupPrivilegeValueW, esihlinzeka ngolwazi oludingekayo mayelana namalungelo esifuna ukuwandisa.
Umfanekiso 28: Ukucela ulwazi mayelana namalungelo okukhula
Ngakolunye uhlangothi, sinakho I-AdjustTokenPrivileges, esivumela ukuthi sithole amalungelo adingekayo okusakaza bukhoma kwethu. Kulokhu, into ebaluleke kakhulu I-NewState, ifulege labo elizonikeza amalungelo.
Umfanekiso 29: Ukusetha izimvume zamathokheni
5.3 Ukuqaliswa
Kulesi sigaba, sizobonisa ukuthi isampula yenza kanjani inqubo yokusebenzisa okukhulunywe ngayo kulo mbiko ngaphambilini.
Umgomo oyinhloko wenqubo yokuqaliswa, kanye nokwenyuka, ukuthola ukufinyelela amakhophi ethunziUkwenza lokhu, idinga ukusebenza ngochungechunge olunamalungelo aphezulu kunomsebenzisi wendawo. Uma isizuze lawa malungelo aphakeme, izosusa amakhophi futhi iguqule ezinye izinqubo ukuze yenze kungenzeki ukubuyela endaweni yokubuyisela yangaphambilini ohlelweni lokusebenza.
Njengoba kuvamile ngalolu hlobo lohlelo olungayilungele ikhompuyutha, lisebenzisa umthwalo okhokhelwayo ukwenza umjovo. CreateToolHelp32Snapshot, ngakho-ke kuthatha isifinyezo sezinqubo ezisebenzayo futhi izama ukufinyelela lezo zinqubo isebenzisa I-OpenProcessUma ithola ukufinyelela kunqubo, iphinde ivule ithokheni ngolwazi lwayo ukuze ithole imingcele yenqubo.
Umfanekiso 30: Ukuthola izinqubo kukhompyutha
Singabona ukuthi ilubuyisa kanjani ngokushintshashintsha uhlu lwezinqubo ezisebenzayo ku-140002D9C subroutine sisebenzisa i-CreateToolhelp32Snapshot. Uma isiwatholile, iphindaphinda ohlwini, izama ukuvula inqubo ngayinye ngayinye isebenzisa i-OpenProcess ize iphumelele. Kulokhu, inqubo yokuqala ekwazile ukuyivula kwaba taskhost.exe.
Umfanekiso 31: Ukwenziwa okunamandla kwenqubo yokuthola inqubo
Siyabona ukuthi ngemuva kwalokho ifunda imininingwane yethokheni yenqubo, ngakho iyabiza I-OpenProcessToken ngepharamitha"20008"
Umfanekiso 32: Ulwazi lwethokheni yenqubo yokufunda
Iphinde ihlole ukuthi inqubo ezosetshenziswa kuyona ayiyona yini css.exe, explorer.exe, lsaas.exe noma ukuthi unesethi yamalungelo Igunya le-NT.
Umfanekiso 33: Izinqubo ezingabaliwe
Singabona ngamandla ukuthi yenza kanjani ukuhlola kuqala kusetshenziswa ulwazi lwethokheni yenqubo 140002D9C ukuthola ukuthi i-akhawunti amalungelo ayo asetshenziswa ukwenza inqubo iyi-akhawunti NT IGUNYA.
Ilayisi. 34: IGUNYA LE-NT isheke
Futhi kamuva, ngaphandle kwenqubo, uyahlola ukuthi akunjalo csrss.exe, explorer.exe noma lsaas.exe.
Ilayisi. 35: IGUNYA LE-NT isheke
Uma isithathe isifinyezo sezinqubo, yavula izinqubo, futhi yaqinisekisa ukuthi akukho neyodwa yazo ekhishiwe, isilungele ukubhala izinqubo ezizofakwa kumemori.
Ukwenza lokhu, kuqala igcina indawo enkumbulweni (I-VirtualAllocEx), ubhala kuyo (BhalaProcessmemory) bese idala umfudlana (YakhaRemoteThread). Ukuze isebenze ngale misebenzi, isebenzisa ama-PID ezinqubo ezikhethiwe, ekade izithole izisebenzisa CreateToolhelp32Snapshot.
Umfanekiso 36: Shumeka ikhodi
Lapha singabona ngendlela eguquguqukayo ukuthi isebenzisa kanjani inqubo ye-PID ukubiza umsebenzi I-VirtualAllocEx.
Umfanekiso 37: Ukushayela i-VirtualAllocEx
5.4 Ukubethela
Kulesi sigaba, sizobheka ingxenye yokubethela yaleli sampuli. Emfanekisweni olandelayo, ungabona ama-subroutines amabili aqanjwe ngokuthi "LayishaLibrary_EncodeString"Futhi"Encode_Func", abanesibopho sokwenza inqubo yokubethela.
Umfanekiso 38: Izinqubo zokubethela
Ekuqaleni singabona ukuthi ilayisha kanjani iyunithi yezinhlamvu ezosetshenziswa kamuva ukuze icacise yonke into edingekayo: ukungenisa, ama-DLL, imiyalo, amafayela nama-CSP.
Umfanekiso 39: Iketango le-deobfuscation
Lesi sibalo esilandelayo sibonisa ukungenisa kokuqala kuyenza ibe lula kurejista ye-R4, LayishaLibraryLokhu kuzosetshenziswa kamuva ukulayisha ama-DLL adingekayo. Singabona futhi enye iyunithi yezinhlamvu kurejista R12, esetshenziswa ngokuhambisana neyunithi yezinhlamvu yangaphambilini ukwenza i-deobfuscation.
Umfanekiso 40: I-Dynamic deobfuscation
Iyaqhubeka nokulayisha imiyalo ezoyenza kamuva ukuze ikhubaze izipele, ukubuyisela amaphuzu, nezindlela zokuqalisa eziphephile.
Umfanekiso 41: Ilayisha imiyalo
Bese elayisha indawo lapho ezodedela khona amafayela ama-3: Windows.bat, run.sct и qala.bat.
Umfanekiso 42: Izindawo zefayela
Lawa mafayela amathathu asetshenziselwa ukuhlola amalungelo endawo ngayinye. Uma amalungelo adingekayo engatholakali, u-Ryuk uyamisa ukusebenza.
Iyaqhubeka nokulayisha imigqa ehambisana namafayela amathathu. Owokuqala, DECRYPT_INFORMATION.html, iqukethe ulwazi oludingekayo ukuze kubuyiselwe amafayela. Owesibili, UMPHAKATHI, iqukethe ukhiye womphakathi wase-RSA.
Umfanekiso 43: Umugqa we-DECRYPT INFORMATION.html
Okwesithathu, UNIQUE_ID_DO_NOT_REMOVE, iqukethe ukhiye obethelwe ozosetshenziswa kumjikelezo olandelayo ukwenza ukubethela.
Umfanekiso 44: I-ID EYIHLUKILE UNGAWUSISHI umugqa
Ekugcineni, ilayisha imitapo yolwazi edingekayo kanye nezinto ezingenisiwe ezidingekayo kanye ne-CSP (IMicrosoft Enhanced RSA и Umhlinzeki we-Cryptographic we-AES).
Umfanekiso 45: Ilayisha imitapo yolwazi
Uma yonke i-deobfuscation isiqediwe, iqhubeka nokwenza izenzo ezidingekayo zokubethela: ukubala wonke amadrayivu anengqondo, ukwenza lokho okulayishwe ku-subroutine yangaphambilini, ukuqinisa ubukhona bakho ohlelweni, ukulahla ifayela le-RyukReadMe.html, ukubethela, ukubala wonke amadrayivu enethiwekhi, ukushintshela kumadivayisi atholiwe futhi uwabhale ngekhodi.
Konke kuqala ngokulayisha "cmd.exe" kanye namarekhodi okhiye womphakathi we-RSA.
Umfanekiso 46: Ukulungiselela ukubethela
Bese ithola wonke amadrayivu anengqondo isebenzisa I-GetLogicalDrives futhi ikhubaze zonke izipele, amaphuzu okubuyisela, nezindlela zokuqalisa eziphephile.
Umfanekiso 47: Vala amathuluzi okubuyisela
Ngemva kwalokhu, iqinisa ukuba khona kwayo ohlelweni, njengoba sibonile ngenhla, futhi ibhala ifayela lokuqala RyukReadMe.html в I-TEMP.
Umfanekiso 48: Ukushicilela isaziso sesihlengo
Esithombeni esilandelayo ungabona ukuthi idala kanjani ifayela, ilayishe okuqukethwe bese ilibhala:
Umfanekiso 49: Ukulayisha nokubhala okuqukethwe kwamafayela
Ukuze ukwazi ukwenza izenzo ezifanayo kuwo wonke amadivayisi, iyasebenzisa
"icacls.exe", njengoba sibonise ngenhla.
Umfanekiso 50: Ukusebenzisa icalcls.exe
Ekugcineni, iqala ukubethela amafayela, okungabandakanyi *.exe, *.dll, amafayela esistimu, nezinye izindawo ezicaciswe kuhlu olumhlophe olubethelwe. Ukwenza lokhu, isebenzisa ukungenisa: I-CryptAcquireContextW (lapho kuboniswa ukusetshenziswa kwe-AES ne-RSA), I-CryptDeriveKey, i-CryptGenKey, I-CryptDestroyKey njll. Kuphinde kwenziwe umzamo wokunweba isenzo sawo kumadivayisi enethiwekhi atholiwe kusetshenziswa i-WNetEnumResourceW bese ibethelwa.
Umfanekiso 51: Ukubethela amafayela esistimu
6. Ukungenisa kanye namafulegi ahambisanayo
Ngezansi kunethebula elibonisa ukungenisa kanye namafulegi ahlobene kakhulu asetshenziswa isampula:
7. IOC
izithenjwa
- abasebenzisiPublicrun.sc
- Qala ImenyuIzinhleloStartupstart.bat AppDataRoamingMicrosoftWindowsQala
- I-MenuProgramsStartupstart.bat
Umbiko wezobuchwepheshe omayelana ne-Ryuk ransomware wahlanganiswa ngochwepheshe abavela elabhorethri ye-PandaLabs antivirus.
8. Izixhumanisi
1. “Everis y Prisa Radio sufren un grave ciberataque que secuestra sus sistemas.”https://www. elconfidencial.com/tecnologia/2019-11-04/everis-la-ser-ciberataque-ransomware-15_2312019/, Publicada el 04/11/2019.
2. “Un virus de origen ruso ataca a importantes empresas españolas.” https://elpais.com/tecnologia/2019/11/04/actualidad/1572897654_ 251312.html, Publicada el 04/11/2019.
3. “Iphepha le-VB2019: impindiselo ka-Shinigami: umsila omude we-Ryuk malware.” https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/, Publicada el 12/11/2019
4. “Ukuzingela Kwezilwane Ezinkulu nge-Ryuk: Enye I-Ransomware Ehlosiwe Enenzuzo Eningi.”https://www. crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/, Publicada el 01/10/2019.
5. “Iphepha le-VB2019: impindiselo ka-Shinigami: umsila omude we-Ryuk malware.” https://www. virusbulletin.com/virusbulletin/2019/10/ vb2019-paper-shinigamis-revenge-long-tail-r
Source: www.habr.com
