Ryuk
Essential information
- Confidence
- 100/100
- Is family
- Yes
- Published
- 13/05/2020 22:14
- Modified
- 27/03/2026 01:05
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Related entities
- 50 attack patterns (mitre), 3 intrusion sets (apt), 9 sectors, 7 countries, 97 indicators, 4 vulnerabilities (cve)
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators, intrusion sets and other entities linked to this malware.
Attack patterns (MITRE) (50)
Intrusion sets (APT) (3)
-
DPRK usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (9)
-
Manufacturing targets
-
High-tech targets
-
Public Health targets
-
Government targets
-
Chemical targets
-
Education targets
-
Healthcare targets
-
Retail targets
-
Human Services targets
Countries (7)
-
Korea, Republic of targets
-
Italy targets
-
Brazil targets
-
Germany targets
-
United States of America targets
-
United Kingdom of Great Britain and Northern Ireland targets
-
Canada targets
Indicators (97)
-
stix 100/100 Revoked
#Lowfi:Lua:Mampa:99!ml
· Valid until 22/06/2024 · Source: AlienVault -
stix 100/100 Revoked· Valid until 02/10/2023 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 02/10/2023 · Source: AlienVault
-
stix 100/100 Revoked
TDrop2
· Valid until 29/10/2025 · Source: AlienVault -
stix 100/100 Revoked
research_pe_signed_outside_timestamp SHA256 of 29b6b54e10a96e6c40e1f0236b01b2e8
· Valid until 14/05/2024 · Source: AlienVault -
stix 100/100 Revoked· Valid until 02/10/2023 · Source: AlienVault
-
stix 100/100 Revoked
Win32:TrojanX-gen\ [Trj]
· Valid until 22/06/2024 · Source: AlienVault -
stix 100/100 Revoked
SHA256 of 2d02f5499d35a8dffb4c8bc0b7fec5c2
· Valid until 22/06/2024 · Source: AlienVault -
http://204.13.164.118:80indicatesstix 100/100 Revoked· Valid until 29/05/2022 · Source: AlienVault -
stix 100/100 Revoked· Valid until 02/10/2023 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 02/10/2023 · Source: AlienVault
-
stix 100/100 Revoked
Andariel
· Valid until 01/11/2025 · Source: AlienVault
Vulnerabilities (CVE) (4)
SonicWall SMA 100 devies are vulnerable to an unauthenticated stack-based buffer overflow vulnerability where exploitation can result in code execution.
- Published
- 28/01/2022
- Modified
- 20/12/2025
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
- Attack vector
- Network
- Published
- 10/12/2021
- Modified
- 27/05/2026
Microsoft Windows Print Spooler contains an unspecified vulnerability due to the Windows Print Spooler service improperly performing privileged file operations. Successful exploitation …
- Published
- 03/11/2021
- Modified
- 20/12/2025
TerraMaster OS contains a remote command execution vulnerability that allows an unauthenticated user to execute commands on the target endpoint.
- Attack vector
- Network
- Published
- 10/02/2023
- Modified
- 20/12/2025