Trick or Threat: Ryuk Ransomware Targets Health Care Industry
Tags
country: Russia United States Of America
maec-delivery-vectors: Watering Hole
attack-pattern: Data Models Credentials - T1589.001 Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Hidden Window - T1564.003 Ip Addresses - T1590.005 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Rundll32 - T1218.011 Server - T1583.004 Server - T1584.004 Software - T1592.002 Hidden Window - T1143 Powershell - T1086 Rundll32 - T1085
Show in Graph
Common Information
Type Value
UUID bb672ae2-eb93-49f0-bd03-72389465568f
Fingerprint a42c01a90c3e26e2
Analysis status DONE
Considered CTI value 2
Text language
Published June 2, 2022, midnight
Added to db Sept. 26, 2022, 9:30 a.m.
Last updated Nov. 17, 2024, 6:30 p.m.
Headline Trick or Threat: Ryuk Ransomware Targets Health Care Industry
Title Trick or Threat: Ryuk Ransomware Targets Health Care Industry
Detected Hints/Tags/Attributes 100/3/47
Source URLs
Redirection Url
Details Source https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/
URL Provider
Details Provider Source level domain
Details vmware.com blogs.vmware.com
Attributes
Details Type #Events CTI Value
Details Domain 129 
api.ipify.org
Details Domain 1 
ip4.seeip.org
Details Domain 154 
us-cert.cisa.gov
Details Domain 17 
www.npr.org
Details Domain 7 
www.lastline.com
Details Domain 71 
news.sophos.com
Details Domain 59 
www.cybereason.com
Details Domain 7 
hello.global.ntt
Details Domain 184 
www.fireeye.com
Details Domain 172 
www.crowdstrike.com
Details Domain 604 
www.trendmicro.com
Details Domain 20 
intel.com
Details Domain 74 
thedfirreport.com
Details File 1 
text_report.exe
Details File 8 
rasadhlp.dll
Details File 229 
advapi32.dll
Details File 83 
crypt32.dll
Details File 130 
ws2_32.dll
Details File 1 
pluginsample.dll
Details File 1 
c:\\perflogs\\socks64.dll
Details File 1 
c:\\share\\socks64.dll
Details File 4 
kegtap-and-singlemalt-with-a-ransomware-chaser.html
Details md5 1 
c361742189a14d011847080f6becd024
Details md5 1 
1e30713681e7439b059ea95431be132a
Details md5 1 
704dea93ef129b6c10b5b02433b51ec2
Details md5 1 
890206F0C506366D480E02FC9FED988A
Details md5 1 
85057B3F1210043CE7821E249AC96B29
Details sha1 1 
942701c5dc21bd6af902181fa673d8459683479b
Details IPv4 1 
38.89.106.69
Details Url 26 
https://api.ipify.org
Details Url 1 
https://ip4.seeip.org
Details Url 5 
https://us-cert.cisa.gov/ncas/alerts/aa20-302a.
Details Url 1 
https://www.npr.org/2020/10/29/928979988/u-s-hospitals-targeted-in-rising-wave-of-
Details Url 1 
https://www.lastline.com/blog/threat-intelligence-
Details Url 1 
https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-
Details Url 1 
https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-
Details Url 1 
https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-
Details Url 1 
https://hello.global.ntt/insights/blog/trickbot-variant-communicating-over-dns.
Details Url 20 
https://www.fireeye.com/blog/threat-
Details Url 1 
https://www.crowdstrike.com/blog/big-game-hunting-
Details Url 1 
https://www.trendmicro.com/vinfo/gb/security/news/cybercrime-and-digital-
Details Url 1 
https://www.advanced
Details Url 1 
https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/.
Details Url 3 
https://thedfirreport.com/2020/10/08/ryuks-return
Details Windows Registry Key 21 
HKEY_CLASSES_ROOT\CLSID
Details Windows Registry Key 1 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PhotoAcquisition
Details Windows Registry Key 1 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Photo