S0446: Ryuk
Analyst context for executives and security teams
Ryuk matters because ATT&CK records it as Windows ransomware designed for enterprise environments, with related behaviors that span discovery, lateral movement over SMB/admin shares, persistence, defense evasion, recovery inhibition, service stopping, and data encryption for impact. For leaders, this is not just a malware name; it is a resilience test of whether identity controls, Windows telemetry, segmentation, backups, and incident response procedures can hold up when an intrusion turns into business disruption.
Executive priority
Prioritize Ryuk as a business-continuity and recovery-readiness scenario. The decision questions are: can privileged domain account abuse be detected quickly, can lateral movement through Windows shares be constrained, can critical services and recovery mechanisms be protected, and can the organization prove through audit evidence that backups and restore processes work under ransomware conditions? The relationship to ICS impact through Loss of Productivity and Revenue also makes IT/OT dependency mapping relevant where Windows enterprise systems support operational processes.
Technical view
SOC and IR teams should validate coverage around the ATT&CK relationships rather than relying on a single malware signature. Focus on Windows execution through command shell and native APIs, scheduled tasks and Registry Run Keys/Startup Folder persistence, SMB/Windows Admin Shares lateral movement, domain account use, process and file discovery, network configuration discovery, process injection, access token manipulation, masquerading, ACL/permission changes, service stops, recovery inhibition, and high-volume file encryption behavior. FIN6 and Wizard Spider are recorded as groups that use Ryuk, but local detections should be behavior-led and not depend on attribution.
Likely telemetry
- Windows endpoint process creation and command-line logging
- Windows registry changes for Run keys and startup locations
- Scheduled task creation, modification, and execution events
- SMB/admin share access and remote file activity
- Active Directory authentication, domain account use, and privileged logon events
Detection direction
- Build detections from the related techniques because ATT&CK provides no official detection text for this object.
- Correlate domain account activity with SMB/admin share access, remote execution, scheduled task creation, and rapid file modification to reduce false positives from normal administration.
- Baseline legitimate service management, backup administration, and recovery operations so service stops or recovery inhibition can be triaged in business context.
- Tune masquerading and obfuscation detections against trusted Windows paths and names, but require supporting behavior to avoid excessive noise.
- Validate visibility on remote shares and servers, since ransomware impact may occur through file access paths that endpoint-only monitoring can miss.
Mitigation priorities
- Protect recovery first: maintain offline or otherwise resilient backups and regularly test restore procedures for critical Windows systems and file stores.
- Reduce blast radius by limiting privileged domain account use, enforcing least privilege, and monitoring administrative logons.
- Constrain SMB/admin share exposure through segmentation and access control, especially between user workstations, servers, and operationally critical systems.
- Harden Windows persistence paths by controlling and monitoring scheduled tasks, startup folders, and Registry Run keys.
- Restrict unauthorized service control, ACL changes, and backup/recovery modification to approved administrative workflows.
Analyst notes and limits
The supplied ATT&CK object identifies Ryuk as enterprise-focused Windows ransomware with code similarities to Hermes and relationships to multiple ATT&CK techniques. The most decision-useful context is the combination of credentialed lateral movement, persistence, evasion, service disruption, recovery inhibition, and encryption impact. External references include reporting on Wake-on-LAN use, so defenders should consider whether that telemetry exists, but detections should remain behavior-based and environment-specific.
ATT&CK provides no official detection guidance for this malware object, and the malware object itself lists no tactics. Some related techniques have broader platform metadata than the Ryuk object; this take treats Windows as the supported platform for Ryuk based on the supplied object field. Relationship presence does not prove current activity, customer exposure, or complete behavior in every intrusion. Local asset criticality, logging configuration, identity architecture, and backup design are required to assess actual risk and coverage.
Ryuk
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027 | Obfuscated Files or Information | Ryuk can use anti-disassembly and code transformation obfuscation techniques.CitationCrowdStrike Wizard Spider October 2020 |
| Enterprise | T1106 | Native API | Ryuk has used multiple native APIs including |
| Enterprise | T1057 | Process Discovery | Ryuk has called |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Ryuk has used the C$ network share for lateral movement.CitationBleeping Computer - Ryuk WoL |
| Enterprise | T1083 | File and Directory Discovery | Ryuk has enumerated files and folders on all mounted drives.CitationCrowdStrike Ryuk January 2019 |
| Enterprise | T1490 | Inhibit System Recovery | Ryuk has used |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | Ryuk has been observed to query the registry key |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | Ryuk can use stolen domain admin accounts to move laterally within a victim domain.CitationANSSI RYUK RANSOMWARE |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Ryuk has used |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Ryuk has constructed legitimate appearing installation folder paths by calling |
| Enterprise | T1489 | Service Stop | Ryuk has called |
| Enterprise | T1222.001 | Windows Permissions Sub-technique | Ryuk can launch |
| Enterprise | T1685 | Disable or Modify Tools | Ryuk has stopped services related to anti-virus.CitationFireEye Ryuk and Trickbot January 2019 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Ryuk can remotely create a scheduled task to execute itself on a system.CitationANSSI RYUK RANSOMWARE |
| Enterprise | T1680 | Local Storage Discovery | Ryuk has called |
| Enterprise | T1205 | Traffic Signaling | Ryuk has used Wake-on-Lan to power on turned off systems for lateral movement.CitationBleeping Computer - Ryuk WoL |
| Enterprise | T1486 | Data Encrypted for Impact | Ryuk has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.CitationCrowdStrike Ryuk January 2019CitationCrowdStrike Wizard Spider October 2020 |
| Enterprise | T1055 | Process Injection | Ryuk has injected itself into remote processes to encrypt files using a combination of |
| Enterprise | T1036 | Masquerading | Ryuk can create .dll files that actually contain a Rich Text File format document.CitationANSSI RYUK RANSOMWARE |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Ryuk has used the Windows command line to create a Registry entry under |
| Enterprise | T1016 | System Network Configuration Discovery | Ryuk has called |
| Enterprise | T1134 | Access Token Manipulation | Ryuk has attempted to adjust its token privileges to have the |
Groups, software, and campaigns
G0102: Wizard Spider
Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]
G0037: FIN6
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | bbedbff5a2d4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CrowdStrike Ryuk January 2019
Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
Open source URL -
[2]
FireEye Ryuk and Trickbot January 2019
Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
Open source URL -
[3]
FireEye FIN6 Apr 2019
McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
Open source URL -
[4]
Bleeping Computer - Ryuk WoL
Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.
Open source URL -
[5]
Ryuk
(Citation: CrowdStrike Ryuk January 2019) (Citation: Bleeping Computer - Ryuk WoL)
-
[6]
mitre-attack S0446Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.