RiskIQ Has Released Its Corpus of Infrastructure and IOCs Related to Ryuk Ransomware

External Threat Management Labs Analyst

RiskIQ Has Released Its Corpus of Infrastructure and IOCs Related to Ryuk Ransomware

October 30, 2020

By Team RiskIQ

Ryuk Ransomware has flooded US hospitals, threatening to shut down their operations when they're needed most. Ryuk now accounts for a third of all ransomware attacks in 2020, with its operators finding success while many healthcare organizations are most vulnerable.

However, the cybersecurity community is coming together to combat this rash of attacks, combining resources to provide network defenders with alerts and intelligence to protect our healthcare institutions.

To do our part, RiskIQ released the entirety of the infrastructure related to the Ryuk strain of ransomware collected by RiskIQ's Internet Intelligence Graph. These expansive, unique holdings complement recent public efforts by US federal agencies and researchers at FireEye, exposing all known infrastructure these criminals use to execute their attacks. FireEye also publicly released all relevant Ryuk indicators of compromise (IOCs) it has observed in 2020.

Enter RiskiQ's Threat Intelligence Portal for the full list of Ryuk IOCs

Ryuk malware is believed to be deployed by Eastern European criminals and delivered by the same threat actors behind the Trickbot malware platform. Trickbot was the subject of a massive takedown attempt carried out by Microsoft earlier this month, reportedly cooperating with US CYBERCOM.

Federal agencies issued an alert aimed at the United States healthcare industry, providing context on the Ryuk threat and releasing IOCs. The agencies, the Federal Bureau of Investigation (FBI), the Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS), also hosted a conference call for health care industry leaders to advise them.

Healthcare organizations can use this RiskIQ intelligence to search their networks for signs of an attack and prevent malicious connections to other Ryuk command-and-control servers. Our researchers have organized all IOCs to include all IP addresses, domains, and SHA-256 samples we have identified, in addition to what has previously been released publicly.

Users are encouraged to check the Internet Intelligence Portal daily to keep up-to-date with the latest developments and intelligence on Ryuk ransomware, as well as other strains of ransomware that may arise.

Featured Posts

External Threat Management | Labs

Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers

RiskIQ's Team Atlas has uncovered still more infrastructure actively serving WellMess/WellMail. The timing here is notable. Only one month ago, the American and Russian he...

Joining Microsoft is the Next Stage of the RiskIQ Journey

Today Microsoft announced its intent to acquire RiskIQ, representing the next stage of our journey that's been more than a decade in the making. We couldn't be more ...

Media Land: Bulletproof Hosting Provider is a Playground for Threat Actors

Bulletproof hosting (BPH) is a collection of service offerings catering to internet-based criminal activity. These businesses often operate in a grey area, attempting to appea...

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor

RiskIQ Illuminate® Internet Intelligence Platform Datasheet

Five Security Intelligence Must-Haves For Next-Gen Attack Surface Management

5-Questions Security Intelligence Must Answer

Threat Investigations and Response RiskIQ Solution Brief

Illuminate One-Hour On-Demand Event