Ryuk
Essential information
- Confidence
- 100/100
- Is family
- Yes
- Published
- 13/05/2020 22:14
- Modified
- 27/03/2026 01:05
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Related entities
- 50 attack patterns (mitre), 3 intrusion sets (apt), 9 sectors, 7 countries, 97 indicators, 4 vulnerabilities (cve)
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators, intrusion sets and other entities linked to this malware.
Attack patterns (MITRE) (50)
Intrusion sets (APT) (3)
-
DPRK usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (9)
-
Manufacturing targets
-
High-tech targets
-
Public Health targets
-
Government targets
-
Chemical targets
-
Education targets
-
Healthcare targets
-
Retail targets
-
Human Services targets
Countries (7)
-
Korea, Republic of targets
-
Italy targets
-
Brazil targets
-
Germany targets
-
United States of America targets
-
United Kingdom of Great Britain and Northern Ireland targets
-
Canada targets
Indicators (97)
-
http://5.61.33.200/henos.exeindicatesstix 100/100 RevokedWin32:BotX-gen\ [Trj]
· Valid until 29/05/2022 · Source: AlienVault -
http://michaelstefensson.com/supd/s.exeindicatesstix 100/100 Revoked· Valid until 29/05/2022 · Source: AlienVault -
stix 100/100 Revoked· Valid until 02/10/2023 · Source: AlienVault
-
stix 100/100 Revoked
SHA256 of 47791bf9e017e3001ddc68a7351ca2d6
· Valid until 22/06/2024 · Source: AlienVault -
stix 100/100 Revoked
GoLandBuildPE
· Valid until 22/06/2024 · Source: AlienVault -
stix 100/100 Revoked· Valid until 02/10/2023 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 02/10/2023 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 02/10/2023 · Source: AlienVault
-
stix 100/100 Revoked
Win64:CrypterX-gen\ [Trj]
· Valid until 02/10/2023 · Source: AlienVault -
stix 100/100 Revoked
webshell_jsp_generic SHA256 of 25ee4001eb4e91f7ea0bc5d07f2a9744
· Valid until 22/06/2024 · Source: AlienVault -
stix 100/100 Revoked· Valid until 02/10/2023 · Source: AlienVault
Vulnerabilities (CVE) (4)
SonicWall SMA 100 devies are vulnerable to an unauthenticated stack-based buffer overflow vulnerability where exploitation can result in code execution.
- Published
- 28/01/2022
- Modified
- 20/12/2025
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
- Attack vector
- Network
- Published
- 10/12/2021
- Modified
- 27/05/2026
Microsoft Windows Print Spooler contains an unspecified vulnerability due to the Windows Print Spooler service improperly performing privileged file operations. Successful exploitation …
- Published
- 03/11/2021
- Modified
- 20/12/2025
TerraMaster OS contains a remote command execution vulnerability that allows an unauthenticated user to execute commands on the target endpoint.
- Attack vector
- Network
- Published
- 10/02/2023
- Modified
- 20/12/2025