RiskIQ Has Released Its Corpus of Infrastructure and IOCs Related to Ryuk Ransomware

External Threat Management Labs Analyst

RiskIQ Has Released Its Corpus of Infrastructure and IOCs Related to Ryuk Ransomware

October 30, 2020

By Team RiskIQ

Ryuk Ransomware has flooded US hospitals, threatening to shut down their operations when they're needed most. Ryuk now accounts for a third of all ransomware attacks in 2020, with its operators finding success while many healthcare organizations are most vulnerable.

However, the cybersecurity community is coming together to combat this rash of attacks, combining resources to provide network defenders with alerts and intelligence to protect our healthcare institutions.

To do our part, RiskIQ released the entirety of the infrastructure related to the Ryuk strain of ransomware collected by RiskIQ's Internet Intelligence Graph. These expansive, unique holdings complement recent public efforts by US federal agencies and researchers at FireEye, exposing all known infrastructure these criminals use to execute their attacks. FireEye also publicly released all relevant Ryuk indicators of compromise (IOCs) it has observed in 2020.

Enter RiskiQ's Threat Intelligence Portal for the full list of Ryuk IOCs

Ryuk malware is believed to be deployed by Eastern European criminals and delivered by the same threat actors behind the Trickbot malware platform. Trickbot was the subject of a massive takedown attempt carried out by Microsoft earlier this month, reportedly cooperating with US CYBERCOM.

Federal agencies issued an alert aimed at the United States healthcare industry, providing context on the Ryuk threat and releasing IOCs. The agencies, the Federal Bureau of Investigation (FBI), the Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS), also hosted a conference call for health care industry leaders to advise them.

Healthcare organizations can use this RiskIQ intelligence to search their networks for signs of an attack and prevent malicious connections to other Ryuk command-and-control servers. Our researchers have organized all IOCs to include all IP addresses, domains, and SHA-256 samples we have identified, in addition to what has previously been released publicly.

Users are encouraged to check the Internet Intelligence Portal daily to keep up-to-date with the latest developments and intelligence on Ryuk ransomware, as well as other strains of ransomware that may arise.

Featured Posts

External Threat Management

The RiskIQ Intelligence Connector for Microsoft Azure Sentinel Is the Context-Rich Force Multiplier Security Teams Need

Digital initiatives have changed the enterprise attack surface and how organizations appear online, both to users and malicious actors. Meanwhile, the threat landscape has evo...

#TwitterHack: How RiskIQ Data Exposed Hundreds of Domains Belonging to the Attackers

The discussions in the coming days and weeks surrounding yesterday's large-scale compromise of verified Twitter accounts, including those of Joe Biden, Barack Obama, and Bill G...

Partner Deep-Dive: RiskIQ Security Intelligence Services for Splunk

The average organization's digital presence has exploded in size. Even before COVID-19 spread their staff and operations outside the firewall, businesses were rapidly migrating...

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor

RiskIQ Illuminate® Internet Intelligence Platform Datasheet

RiskIQ Illuminate® Internet Intelligence Platform Datasheet

COVID-19 Solution Brief

Hacker Valley Podcast

Forrester Wave: External Threat Intelligence Services, Q1 2021