{"description": "Enterprise techniques used by Ryuk, ATT&CK software S0446 (v1.4)", "name": "Ryuk (S0446)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) has attempted to adjust its token privileges to have the SeDebugPrivilege.(Citation: CrowdStrike Ryuk January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) has used the Windows command line to create a Registry entry under HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run to establish persistence.(Citation: CrowdStrike Ryuk January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) has used cmd.exe to create a Registry entry to establish persistence.(Citation: CrowdStrike Ryuk January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Wizard Spider October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) has enumerated files and folders on all mounted drives.(Citation: CrowdStrike Ryuk January 2019)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1222", "showSubtechniques": true}, {"techniqueID": "T1222.001", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) can launch icacls  /grant Everyone:F /T /C /Q to delete every access-based restrictions on files and directories.(Citation: ANSSI RYUK RANSOMWARE)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) has stopped services related to anti-virus.(Citation: FireEye Ryuk and Trickbot January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) has used vssadmin Delete Shadows /all /quiet to to delete volume shadow copies and vssadmin resize shadowstorage to force deletion of shadow copies created by third-party applications.(Citation: CrowdStrike Ryuk January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) can create .dll files that actually contain a Rich Text File format document.(Citation: ANSSI RYUK RANSOMWARE)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) has constructed legitimate appearing installation folder paths by calling GetWindowsDirectoryW and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as C:\\Users\\Public.(Citation: CrowdStrike Ryuk January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) has used multiple native APIs including ShellExecuteW to run executables,GetWindowsDirectoryW to create folders, and VirtualAlloc, WriteProcessMemory, and CreateRemoteThread for process injection.(Citation: CrowdStrike Ryuk January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) can use anti-disassembly and code transformation obfuscation techniques.(Citation: CrowdStrike Wizard Spider October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) has called CreateToolhelp32Snapshot to enumerate all running processes.(Citation: CrowdStrike Ryuk January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) has injected itself into remote processes to encrypt files using a combination of VirtualAlloc, WriteProcessMemory, and CreateRemoteThread.(Citation: CrowdStrike Ryuk January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) has used the C$ network share for lateral movement.(Citation: Bleeping Computer - Ryuk WoL)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) can remotely create a scheduled task to execute itself on a system.(Citation: ANSSI RYUK RANSOMWARE)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1489", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) has called kill.bat for stopping services, disabling services and killing processes.(Citation: CrowdStrike Ryuk January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) has called GetLogicalDrives to emumerate all mounted drives, and GetDriveTypeW to determine the drive type.(Citation: CrowdStrike Ryuk January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) has been observed to query the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language and the value InstallLanguage. If the machine has the value 0x419 (Russian), 0x422 (Ukrainian), or 0x423 (Belarusian), it stops execution.(Citation: CrowdStrike Ryuk January 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) has called GetIpNetTable in attempt to identify all mounted drives and hosts that have Address Resolution Protocol (ARP) entries.(Citation: CrowdStrike Ryuk January 2019)(Citation: Bleeping Computer - Ryuk WoL) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1205", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) has used Wake-on-Lan to power on turned off systems for lateral movement.(Citation: Bleeping Computer - Ryuk WoL)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1078", "showSubtechniques": true}, {"techniqueID": "T1078.002", "comment": "[Ryuk](https://attack.mitre.org/software/S0446) can use stolen domain admin accounts to move laterally within a victim domain.(Citation: ANSSI RYUK RANSOMWARE)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Ryuk", "color": "#66b1ff"}]}