I-Ryuk ingenye yezinketho ezidume kakhulu ze-ransomware eminyakeni embalwa edlule. Kusukela yaqala ukubonakala ehlobo lika-2018, iqoqe , ikakhulukazi endaweni yebhizinisi, okuyiyona nhloso enkulu yokuhlaselwa kwayo.
1. Ulwazi olujwayelekile
Lo mbhalo uqukethe ukuhlaziya okuhlukile kwe-Ryuk ransomware, kanye nesilayishi esinesibopho sokulayisha i-malware ohlelweni.
I-Ryuk ransomware ivele okokuqala ehlobo lika-2018. Omunye umehluko phakathi kwe-Ryuk nenye i-ransomware ukuthi ihloselwe ukuhlasela izindawo zezinkampani.
Maphakathi no-2019, amaqembu obugebengu bamakhompiyutha ahlasele inqwaba yezinkampani zaseSpain zisebenzisa le nhlengo.
Ilayisi. 1: Ingcaphuno evela ku-El Confidencial mayelana nokuhlasela kwe-Ryuk ransomware [1]
Ilayisi. 2: Ingcaphuno evela ku-El País mayelana nokuhlasela okwenziwa kusetshenziswa i-Ryuk ransomware [2]
Kulo nyaka, uRyuk uhlasele inqwaba yezinkampani emazweni ahlukahlukene. Njengoba ubona ezibalweni ezingezansi, iJalimane, iChina, i-Algeria ne-India yizona ezishayeke kakhulu.
Ngokuqhathanisa inani lokuhlaselwa kwe-cyber, singabona ukuthi i-Ryuk ithinte izigidi zabasebenzisi futhi ibeka engcupheni inani elikhulu ledatha, okuholela ekulahlekelweni okukhulu komnotho.
Ilayisi. 3: Umfanekiso womsebenzi womhlaba ka-Ryuk.
Ilayisi. 4: Amazwe ayi-16 athinteke kakhulu yi-Ryuk
Ilayisi. 5: Inombolo yabasebenzisi abahlaselwe i-Ryuk ransomware (ngezigidi)
Ngokwesimiso esivamile sokusebenza kwezinsongo ezinjalo, le nhlawulo, ngemva kokuba ukubethela kuqedile, kubonisa isisulu isaziso sesihlengo okufanele sikhokhelwe ngama-bitcoins ekhelini elishiwo ukuze kubuyiselwe ukufinyelela kumafayela abethelwe.
Le malware isishintshile kusukela yethulwa okokuqala.
Okuhlukile kwalokhu kusongela okuhlaziywe kulo mbhalo kutholwe ngesikhathi kuzanywa ukuhlasela ngoJanuwari 2020.
Ngenxa yobunkimbinkimbi bayo, lolu hlelo olungayilungele ikhompuyutha luvamise ukuthi lubhekiswe kumaqembu obugebengu bamakhompuyutha ahleliwe, aziwa nangokuthi amaqembu e-APT.
Ingxenye yekhodi ye-Ryuk inokufana okuphawulekayo nekhodi nesakhiwo senye i-ransomware eyaziwa kakhulu, i-Hermes, ababelana ngayo ngenani lemisebenzi efanayo. Yingakho uRyuk ekuqaleni exhunywe neqembu laseNyakatho Korea uLazarus, ngaleso sikhathi okwakusolwa ukuthi ungemva kweHermes ransomware.
Isevisi ye-CrowdStrike's Falcon X kamuva yaqaphela ukuthi i-Ryuk empeleni idalwe iqembu le-WIZARD SPIDER [4].
Kunobunye ubufakazi obusekela lo mcabango. Okokuqala, le ransomware yakhangiswa kuwebhusayithi ethi exploit.in, okuyindawo yemakethe eyaziwa kakhulu yohlelo olungayilungele ikhompuyutha yaseRussia futhi ngaphambilini ibihlotshaniswa namaqembu athile ase-Russian APT.
Leli qiniso likhipha inkolelo yokuthi i-Ryuk yayingase ithuthukiswe yiqembu likaLazaru APT, ngoba akuhambisani nendlela iqembu elisebenza ngayo.
Ngaphezu kwalokho, i-Ryuk yakhangiswa njenge-ransomware engeke isebenze ezinhlelweni zaseRussia, zase-Ukraine naseBelarusian. Lokhu kuziphatha kunqunywa isici esitholakala kwezinye izinguqulo ze-Ryuk, lapho ihlola khona ulimi lwesistimu lapho i-ransomware isebenza khona futhi iyimise ukuthi isebenze uma isistimu inolimi lwesi-Russian, isi-Ukraine noma isi-Belarusian. Ekugcineni, ukuhlaziya kochwepheshe bomshini owagetshengwa ithimba le-WIZARD SPIDER kwembula “izinto zobuciko” ezimbalwa okusolwa ukuthi zasetshenziswa ekuthuthukisweni kwe-Ryuk njengokuhlukile kwe-Hermes ransomware.
Ngakolunye uhlangothi, ochwepheshe uGabriela Nicolao kanye no-Luciano Martins baphakamise ukuthi i-ransomware kungenzeka yathuthukiswa yiqembu le-APT CryptoTech [5].
Lokhu kulandela ukuthi ezinyangeni ezimbalwa ngaphambi kokuvela kukaRyuk, leli qembu lithumele ulwazi esithangamini sesayithi elifanayo ukuthi bathuthukise inguqulo entsha ye-Hermes ransomware.
Abasebenzisi abaningi bezinkundla babuze ukuthi ngabe i-CryptoTech idale ngempela i-Ryuk. Leli qembu libe seliziphendulela lathi linobufakazi bokuthi selikhiqize u-100% we-ransomware.
2. Izici
Siqala nge-bootloader, umsebenzi wayo ukukhomba isistimu ekhona ukuze kuqaliswe inguqulo "elungile" ye-Ryuk ransomware.
I-hash ye-bootloader imi kanje:
MD5 A73130B0E379A989CBA3D695A157A495
SHA256 EF231EE1A2481B7E627921468E79BB4369CCFAEB19A575748DD2B664ABC4F469
Esinye sezici zalesi silandisi ukuthi asiqukethe imethadatha, i.e. Abadali balolu hlelo olungayilungele ikhompuyutha abafakanga noma yiluphi ulwazi kuyo.
Kwesinye isikhathi afaka idatha eyiphutha ukuze akhohlise umsebenzisi ukuthi acabange ukuthi usebenzisa uhlelo lokusebenza olusemthethweni. Kodwa-ke, njengoba sizobona kamuva, uma ukutheleleka kungabandakanyi ukusebenzisana komsebenzisi (njengoba kunjalo ngale ransomware), abahlaseli ababoni kudingekile ukusebenzisa imethadatha.
Ilayisi. 6: Idatha yesampula ye-Meta
Isampula yahlanganiswa ngefomethi ye-32-bit ukuze isebenze kuzo zombili izinhlelo ze-32-bit kanye ne-64-bit.
3. I-vector yokungena
Isampula elanda futhi isebenzise i-Ryuk ingene kusistimu yethu ngoxhumo olukude, futhi amapharamitha okufinyelela atholwe ngokuhlaselwa kwe-RDP kokuqala.
Ilayisi. 7: Irejista yokuhlasela
Umhlaseli ukwazile ukungena kusistimu ekude. Ngemva kwalokho, udale ifayela elisebenzisekayo ngesampula yethu.
Leli fayela elisebenzisekayo lavinjwa isixazululo se-antivirus ngaphambi kokusebenza.
Ilayisi. 8: Ilokhi yephethini
Ilayisi. 9: Ilokhi yephethini
Lapho ifayela elinonya livinjiwe, umhlaseli uzame ukulanda inguqulo ebethelwe yefayela elisebenzisekayo, eliphinde lavinjwa.
Ilayisi. 10: Isethi yamasampuli umhlaseli azame ukuwaqhuba
Ekugcineni, wazama ukulanda elinye ifayela elinonya ngekhonsoli ebethelwe
I-PowerShell ukuze idlule ukuvikelwa kwe-antivirus. Kodwa naye wavinjwa.
Ilayisi. 11: I-PowerShell enokuqukethwe okunonya kuvinjiwe
Ilayisi. 12: I-PowerShell enokuqukethwe okunonya kuvinjiwe
4. Isilayishi
Uma ikhipha, ibhala ifayela le-ReadMe kufolda % temp%, okuyinto evamile ku-Ryuk. Leli fayela linothi lesihlengo eliqukethe ikheli le-imeyili kusizinda se-protonmail, okuyinto evamile kulo mndeni wohlelo olungayilungele ikhompuyutha: [i-imeyili ivikelwe]
Ilayisi. 13: Isidingo Sesihlengo
Ngenkathi i-bootloader isebenza, ungabona ukuthi yethula amafayela amaningana asebenzisekayo anamagama angahleliwe. Agcinwe kufolda efihliwe UMPHAKATHI, kodwa uma inketho ingasebenzi ohlelweni lokusebenza "Bonisa amafayela namafolda afihliwe", khona-ke bayohlala befihliwe. Ngaphezu kwalokho, lawa mafayela angama-64-bit, ngokungafani nefayela elingumzali, elingu-32-bit.
Ilayisi. 14: Amafayela asebenzisekayo aqaliswe isampula
Njengoba ubona esithombeni esingenhla, i-Ryuk yethula icacls.exe, esizosetshenziselwa ukuguqula wonke ama-ACL (Uhlu lokulawula uFinyelela), ngaleyo ndlela iqinisekise ukufinyelela nokuguqulwa kwamafulegi.
Ithola ukufinyelela okugcwele ngaphansi kwabo bonke abasebenzisi kuwo wonke amafayela kudivayisi (/T) kungakhathaliseki amaphutha (/C) futhi ngaphandle kokubonisa noma yimiphi imilayezo (/Q).
Ilayisi. 15: Amapharamitha wokusebenzisa we-icacls.exe aqaliswe isampula
Kubalulekile ukuqaphela ukuthi u-Ryuk uhlola ukuthi iyiphi inguqulo ye-Windows oyisebenzisayo. Ngenxa yalokhu
yenza ukuhlola kwenguqulo isebenzisa I-GetVersionExW, lapho ihlola inani lefulegi lpVersionInformationokubonisa ukuthi inguqulo yamanje ye-Windows yintsha yini kune Windows XP.
Kuya ngokuthi usebenzisa inguqulo kamuva kune-Windows XP, isilayishi se-boot sizobhalela ifolda yomsebenzisi wendawo - kulokhu kufolda %Umphakathi%.
Ilayisi. 17: Ihlola inguqulo yesistimu yokusebenza
Ifayela elibhalwayo lithi Ryuk. Ibe isiyiqhuba, idlulise ikheli layo njengepharamitha.
Ilayisi. 18: Sebenzisa i-Ryuk nge-ShellExecute
Into yokuqala eyenziwa nguRyuk ukuthola amapharamitha wokufaka. Kulokhu kunamapharamitha amabili okokufaka (okusebenzisekayo ngokwako kanye nekheli le-dropper) asetshenziselwa ukususa imikhondo yawo.
Ilayisi. 19: Ukudala Inqubo
Ungabona futhi ukuthi uma isisebenzise okusebenzisekayo, iyazisusa, ngaleyo ndlela ingashiyi mkhondo wokuba khona kwayo kufolda lapho ibulawelwe khona.
Ilayisi. 20: Ukususa ifayela
5. I-RYUK
5.1 Ubukhona
I-Ryuk, njengenye i-malware, izama ukuhlala ohlelweni isikhathi eside ngangokunokwenzeka. Njengoba kuboniswe ngenhla, enye indlela yokufeza lo mgomo iwukudala ngasese nokusebenzisa amafayela asebenzisekayo. Ukwenza lokhu, umkhuba ovame kakhulu ukushintsha ukhiye wokubhalisa I-CurrentVersionRun.
Kulokhu, ungabona ukuthi ngale njongo ifayela lokuqala elizokwethulwa VWjRF.exe
(igama lefayela likhiqizwa ngokungahleliwe) iqalisa cmd.exe.
Ilayisi. 21: Isebenzisa i-VWjRF.exe
Bese ufaka umyalo RUN Ngegama"svchos". Ngakho-ke, uma ufuna ukuhlola okhiye bokubhalisa nganoma isiphi isikhathi, ungakwazi ukuphuthelwa kalula lolu shintsho, uma unikezwe ukufana kwaleli gama ne-svchost. Ngenxa yalesi sihluthulelo, i-Ryuk iqinisekisa ubukhona bayo ohlelweni. Uma uhlelo lungazange yet been infection , khona-ke uma uqalisa kabusha uhlelo, olusebenzisekayo luzozama futhi.
Ilayisi. 22: Isampula iqinisekisa ubukhona kukhiye wokubhalisa
Singabona futhi ukuthi lokhu okusebenzisekayo kumisa izinsizakalo ezimbili:
"audioendpointbuilder", okuyinto, njengoba igama layo liphakamisa, ihambisana nomsindo wesistimu,
Ilayisi. 23: Isampula imisa isevisi yomsindo wesistimu
и Samss, okuyisevisi yokuphatha i-akhawunti. Ukumisa lezi zinsizakalo ezimbili kuyisici se-Ryuk. Kulesi simo, uma isistimu ixhunywe kusistimu ye-SIEM, i-ransomware izama ukuyeka ukuthumela ku- noma yiziphi izixwayiso. Ngale ndlela, uvikela izinyathelo zakhe ezilandelayo njengoba ezinye izinsiza ze-SAM ngeke zikwazi ukuqala umsebenzi wazo ngendlela efanele ngemva kokwenza u-Ryuk.
Ilayisi. 24: Isampula imisa isevisi ye-Samss
5.2 Amalungelo
Ngokuvamile, i-Ryuk iqala ngokuhamba eceleni kwenethiwekhi noma yethulwa enye uhlelo olungayilungele ikhompuyutha njenge noma , okuthi, uma kwenzeka kukhuphuka ilungelo, idlulisele la malungelo aphakeme ku-ransomware.
Ngaphambili, njengesandulela senqubo yokuqaliswa, simbona enza lolu hlelo Zifanise, okusho ukuthi okuqukethwe kokuvikeleka kwethokheni yokufinyelela kuzodluliselwa ekusakazweni, lapho kuzobuyiswa khona ngokushesha kusetshenziswa. GetCurrentThread.
Ilayisi. 25: Shayela ukuze Uzenze Ongeyena
Sibe sesibona ukuthi izohlobanisa ithokheni yokufinyelela nochungechunge. Siyabona futhi ukuthi elinye lamafulegi li I-DesiredAccess, engasetshenziswa ukulawula ukufinyelela uchungechunge oluzoba nalo. Kulokhu inani elizotholwa yi-edx kufanele libe TOKEN_ALL_ACESS noma ngenye indlela - TOKEN_BHALA.
Ilayisi. 26: Ukudala Ithokheni Egelezayo
Khona-ke uzosebenzisa I-SeDebugPrivilege futhi uzokwenza ikholi ukuthola izimvume zokususa iphutha kuchungechunge, okuholela ku PROCESS_ALL_ACCESS, uzokwazi ukufinyelela kunoma iyiphi inqubo edingekayo. Manje, njengoba i-encryptor isivele inokusakaza okulungisiwe, okusele ukuthi uqhubekele esigabeni sokugcina.
Ilayisi. 27: Ukushayela i-SeDebugPrivilege kanye Nomsebenzi Wokwenyusa Ilungelo
Ngakolunye uhlangothi, sine LookupPrivilegeValueW, esihlinzeka ngolwazi oludingekayo mayelana namalungelo esifuna ukuwandisa.
Ilayisi. 28: Cela ulwazi mayelana namalungelo okukhula kwamalungelo
Ngakolunye uhlangothi, sinakho I-AdjustTokenPrivileges, esivumela ukuthi sithole amalungelo adingekayo okusakaza bukhoma kwethu. Kulokhu, into ebaluleke kakhulu I-NewState, ifulege labo elizonikeza amalungelo.
Ilayisi. 29: Ukusetha izimvume zethokheni
5.3 Ukuqaliswa
Kulesi sigaba, sizobonisa ukuthi isampula yenza kanjani inqubo yokusebenzisa okukhulunywe ngayo kulo mbiko ngaphambilini.
Umgomo oyinhloko wenqubo yokuqaliswa, kanye nokwenyuka, ukuthola ukufinyelela amakhophi ethunzi. Ukuze enze lokhu, udinga ukusebenzisa intambo enamalungelo aphezulu kunalawo omsebenzisi wendawo. Uma isizuze amalungelo anjalo aphakeme, izosusa amakhophi futhi yenze izinguquko kwezinye izinqubo ukuze yenze kungenzeki ukubuyela endaweni yokubuyisela ngaphambi kwesikhathi ohlelweni lokusebenza.
Njengoba kuvamile ngalolu hlobo lohlelo olungayilungele ikhompuyutha, luyasebenzisa CreateToolHelp32Snapshotngakho-ke kuthatha isifinyezo sezinqubo ezisebenzayo futhi izama ukufinyelela lezo zinqubo isebenzisa I-OpenProcess. Uma ithola ukufinyelela kunqubo, iphinde ivule ithokheni ngolwazi lwayo ukuze ithole imingcele yenqubo.
Ilayisi. 30: Ukukhipha izinqubo kukhompyutha
Singabona ngamandla ukuthi iluthola kanjani uhlu lwezinqubo ezisebenzayo ku-routine 140002D9C sisebenzisa i-CreateToolhelp32Snapshot. Ngemva kokuwathola, udlula ohlwini, ezama ukuvula izinqubo ngamunye ngamunye esebenzisa i-OpenProcess aze aphumelele. Kulokhu, inqubo yokuqala akwazi ukuyivula kwaba "taskhost.exe".
Ilayisi. 31: Yenza Ngokunamandla Inqubo Yokuthola Inqubo
Siyabona ukuthi ngemuva kwalokho ifunda imininingwane yethokheni yenqubo, ngakho iyabiza I-OpenProcessToken ngepharamitha"20008"
Ilayisi. 32: Funda imininingwane yethokheni yenqubo
Iphinde ihlole ukuthi inqubo ezojova kuyo ayiyona yini css.exe, explorer.exe, lsaas.exe noma ukuthi unesethi yamalungelo Igunya le-NT.
Ilayisi. 33: Izinqubo ezingabaliwe
Singabona ngamandla ukuthi yenza kanjani ukuhlola kuqala kusetshenziswa ulwazi lwethokheni yenqubo 140002D9C ukuze uthole ukuthi i-akhawunti amalungelo ayo asetshenziswayo ukwenza inqubo iyi-akhawunti NT IGUNYA.
Ilayisi. 34: IGUNYA LE-NT isheke
Futhi kamuva, ngaphandle kwenqubo, uyahlola ukuthi akunjalo csrss.exe, explorer.exe noma lsaas.exe.
Ilayisi. 35: IGUNYA LE-NT isheke
Uma esethathe isifinyezo sezinqubo, wavula izinqubo, futhi waqinisekisa ukuthi akukho neyodwa yazo ekhishiwe, ukulungele ukubhala ekhanda izinqubo ezizojovwa.
Ukwenza lokhu, kuqala igcina indawo enkumbulweni (I-VirtualAllocEx), ubhala kuyo (BhalaProcessmemory) bese wenza intambo (YakhaRemoteThread). Ukuze isebenze ngale misebenzi, isebenzisa ama-PID ezinqubo ezikhethiwe, ekade izithole izisebenzisa CreateToolhelp32Snapshot.
Ilayisi. 36: Shumeka ikhodi
Lapha singabona ngendlela eguquguqukayo ukuthi isebenzisa kanjani inqubo ye-PID ukubiza umsebenzi I-VirtualAllocEx.
Ilayisi. 37: Shayela i-VirtualAllocEx
5.4 Ukubethela
Kulesi sigaba, sizobheka ingxenye yokubethela yaleli sampuli. Esithombeni esilandelayo ungabona ama-subroutines amabili abizwa ngokuthi "LayishaLibrary_EncodeString"Futhi"Encode_Func", abanesibopho sokwenza inqubo yokubethela.
Ilayisi. 38: Izinqubo zokubethela
Ekuqaleni singabona ukuthi ilayisha kanjani iyunithi yezinhlamvu ezosetshenziswa kamuva ukuze kucace konke okudingekayo: ukungenisa, ama-DLL, imiyalo, amafayela nama-CSP.
Ilayisi. 39: Isekethe ye-deobfuscation
Lesi sibalo esilandelayo sikhombisa ukungenisa kokuqala kwe-deobfuscas kurejista u-R4. LayishaLibrary. Lokhu kuzosetshenziswa kamuva ukulayisha ama-DLL adingekayo. Singabona futhi omunye ulayini kurejista u-R12, osetshenziswa kanye nolayini wangaphambilini ukwenza i-deobfuscation.
Ilayisi. 40: I-Dynamic deobfuscation
Iyaqhubeka nokulanda imiyalo ezosebenza kamuva ukuze ikhubaze izipele, ibuyisele amaphuzu, nezindlela zokuqalisa eziphephile.
Ilayisi. 41: Ilayisha imiyalo
Bese ilayisha indawo lapho izolahla khona amafayela ama-3: Windows.bat, run.sc и qala.bat.
Ilayisi. 42: Izindawo Zefayela
Lawa mafayela angu-3 asetshenziselwa ukuhlola amalungelo indawo ngayinye enawo. Uma amalungelo adingekayo engatholakali, u-Ryuk umisa ukwenza.
Iyaqhubeka nokulayisha imigqa ehambisana namafayela amathathu. Okokuqala, DECRYPT_INFORMATION.html, iqukethe ulwazi oludingekayo ukuze kubuyiselwe amafayela. Okwesibili, UMPHAKATHI, iqukethe ukhiye womphakathi wase-RSA.
Ilayisi. 43: Ulayini DECRYPT INFORMATION.html
Okwesithathu, UNIQUE_ID_DO_NOT_REMOVE, iqukethe ukhiye obethelwe ozosetshenziswa kumjikelezo olandelayo ukwenza ukubethela.
Ilayisi. 44: Ulayini OKUHLUKILE I-ID UNGASUSA
Ekugcineni, ilanda imitapo yolwazi edingekayo kanye nezinto ezithengwayo ezidingekayo kanye nama-CSP (I-Microsoft Enhanced RSA и Umhlinzeki we-Cryptographic we-AES).
Ilayisi. 45: Ilayisha imitapo yolwazi
Ngemuva kokuthi yonke i-deobfuscation isiqediwe, iyaqhubeka nokwenza izenzo ezidingekayo zokubethela: ukubala wonke amadrayivu anengqondo, ukwenza lokho okulayishwe esimisweni sangaphambilini, ukuqinisa ubukhona ohlelweni, ukuphonsa ifayela le-RyukReadMe.html, ukubethela, ukubala wonke amadrayivu enethiwekhi. , ukushintshela kumadivayisi atholiwe kanye nokubethela kwawo.
Konke kuqala ngokulayisha"cmd.exe" kanye namarekhodi okhiye asesidlangalaleni e-RSA.
Ilayisi. 46: Ukulungiselela ukubethela
Bese ithola wonke amadrayivu anengqondo usebenzisa I-GetLogicalDrives futhi ikhubaze zonke izipele, buyisela amaphuzu nezindlela zokuqalisa eziphephile.
Ilayisi. 47: Amathuluzi okubuyisela angasebenzi
Ngemva kwalokho, iqinisa ukuba khona kwayo ohlelweni, njengoba sibonile ngenhla, futhi ibhala ifayela lokuqala RyukReadMe.html в I-TEMP.
Ilayisi. 48: Ukushicilela isaziso sesihlengo
Esithombeni esilandelayo ungabona ukuthi lidala kanjani ifayela, lilanda okuqukethwe futhi likubhale:
Ilayisi. 49: Ukulayisha nokubhala okuqukethwe kwamafayela
Ukuze akwazi ukwenza izenzo ezifanayo kuwo wonke amadivayisi, usebenzisa
"icacls.exe", njengoba sibonise ngenhla.
Ilayisi. 50: Ukusebenzisa icalcls.exe
Futhi ekugcineni, iqala ukubethela amafayela ngaphandle kokuthi “*.exe”, “*.dll” amafayela, amafayela esistimu nezinye izindawo ezicaciswe ngendlela yohlu olumhlophe olubethelwe. Ukwenza lokhu, isebenzisa ukungenisa: I-CryptAcquireContextW (lapho kucaciswe ukusetshenziswa kwe-AES ne-RSA), I-CryptDeriveKey, i-CryptGenKey, I-CryptDestroyKey njll. Iphinde izame ukunweba ukufinyelela kwayo kumadivayisi enethiwekhi atholiwe kusetshenziswa i-WNetEnumResourceW bese iwabhala ngemfihlo.
Ilayisi. 51: Ukubethela amafayela esistimu
6. Ukungenisa kanye namafulegi ahambisanayo
Ngezansi kunethebula elibonisa ukungenisa kanye namafulegi ahlobene kakhulu asetshenziswa isampula:
7. IOC
izithenjwa
- abasebenzisiPublicrun.sc
- Qala iMenuProgramsStartupstart.bat AppDataRoamingMicrosoftWindowsStart
- I-MenuProgramsStartupstart.bat
Umbiko wezobuchwepheshe mayelana ne-Ryuk ransomware wahlanganiswa ngochwepheshe abavela endaweni yokuvikela amagciwane i-PandaLabs.
8. Izixhumanisi
1. “Everis y Prisa Radio sufren un grave ciberataque que secuestra sus sistemas.”https://www. elconfidencial.com/tecnologia/2019-11-04/everis-la-ser-ciberataque-ransomware-15_2312019/, Publicada el 04/11/2019.
2. “Un virus de origen ruso ataca a importantes empresas españolas.” https://elpais.com/tecnologia/2019/11/04/actualidad/1572897654_ 251312.html, Publicada el 04/11/2019.
3. “Iphepha le-VB2019: impindiselo ye-Shinigami: umsila omude we-malware ye-Ryuk.” https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/, Publicada el 11 /12/2019
4. “Ukuzingela Kwezilwane Ezinkulu nge-Ryuk: Enye I-Ransomware Ehlosiwe Enenzuzo Eningi.”https://www. crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/, Publicada el 10/01/2019.
5. “Iphepha le-VB2019: impindiselo ye-Shinigami: umsila omude we-Ryuk malware.” https://www. virusbulletin.com/virusbulletin/2019/10/ vb2019-paper-shinigamis-revenge-long-tail-r
Source: www.habr.com