Blog
/
Network
/
October 20, 2021

Analyzing the Resurgence of Ryuk Ransomware

Understand the latest developments in Ryuk ransomware and how its return affects organizations facing increased cyber threats.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Brianna Leddy
Director of Analyst Operations
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
20
Oct 2021

In the era of international-scale cyber-warfare, focus has started to move away from small-time cyber thieves toward well-known, well-funded and sometimes government-backed cyber-crime organizations. Cyber-attacks sometimes work on discordant scales, however, and it doesn’t always take big budgets or key players for considerable damage to be dealt.

Numerous stories detail how the criminal and the curious alike have single-handedly breached some of the most secure systems in the world. At the more amusing end, there’s the story of Kristoffer von Hassel who discovered a novel exploit in Microsoft’s Xbox Live system at just five years old. And then of course there are those who hack their way right into promising security careers by breaching systems at major organizations. However, genuine damage has been done by individual threat actors as well.

These might be criminals using second-hand offensive tools, buying botnet armies for as little as $10 on the Dark Web, or using ransomware files downloaded for free. But ultimately, even a single cyber-criminal can inflict crippling damage upon large organizations if they are given the opportunity.

This is especially the case when the tools in their possession have been developed by some of the most notorious names in cyber-crime.

Copycat criminals

In early 2021, Darktrace detected a new instance of the once notorious Ryuk ransomware being launched against a business in the APAC region. The detection was intriguing.

The developers of Ryuk, a prolific cyber-criminal organization given the name ‘Wizard Spider’, had long since abandoned it in favor of a successor called ‘Conti’. Wizard Spider have launched some of the largest cyber-attacks in recent history, allegedly with the support of the Russian government, and are under investigation by Interpol and the FBI. They are not known for using outdated tools.

It soon became clear that this attack was not being launched by Wizard Spider at all, but by small-scale threat actors picking up the tools Wizard Spider left behind. And as the new attackers proved, these tools are still far from defunct.

Ryuk ransomware: A city-stopper for sale

Ryuk ransomware is commonly used to target large enterprise environments, even taking down entire city councils in some instances. Lake City, Florida and the City of Onkaparinga in South Australia are two of its known victims, along with numerous schools and hospitals across the US.

Once active in a system, Ryuk uses a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files, disabling Windows’ system restore feature as it does so, and generally demands payment via Bitcoin in return for a private decryption key.

Though Ryuk was not initially sold in the same manner as its predecessor, Hermes, on the Dark Web site ‘exploit[.]in’, it is now believed by some publications that the toolkit must be available somewhere for various threat actors to buy and tailor to their requirements. This explains its recurrence beyond Wizard Spider activities.

New dog, old tricks

Darktrace spotted the new instance of Ryuk during a trial with a real estate business in the APAC region. The first warning sign came when some basic .dat files were downloaded onto one of the business’ devices from an unknown Russian IP address. Darktrace immediately detected that this download was a likely breach and, had Antigena been set up in active mode, would have initiated a targeted response at this early stage.

The .dat files on the infected device allowed the attackers to use RDP (Remote Desktop Protocol) to spread further into the business’ network. Two days after the initial compromise, the threat actor had gained administrative credentials through a bruteforce attack and could begin scanning the network further.

Figure 1: Timeline of the attack

The witching hour

Just an hour after the attacker gained administrative credentials, at approximately 3:30am local time, ransomware files appeared in the business’ network. This timing was not accidental. The attackers knew that the security teams at the target business were home and asleep when the ransomware landed in the small hours of the morning, giving them plenty of time to conduct their attack.

This is precisely the kind of simple tactic which can multiply the scale of an attack without using large budgets or complex toolsets. The Ryuk ransomware rapidly began encrypting corporate files during the night, and by the time the security team returned in the morning, all they could do was shut down the entire network and hope to limit the spread of Ryuk, if only to save a few final devices.

The total attack time, from initial compromise to widespread data encryption, was just two and a half days. Whether due to understaffing or preoccupation, the security team did not find the time in that small window to respond to alerts, and, with Darktrace Antigena in passive mode, the attack was able to go ahead. This business’ need for Autonomous Response, which can protect against old and new attacks around the clock without the need for manual intervention, was painfully apparent.

Autonomous Response: Stop Ryuk before Ryuk stops you

Understanding Ryuk’s history and functionality does little good for organizations when it is still capable of eluding their defenses and catching security teams unawares. Darktrace’s Self-Learning AI is uniquely positioned to address these sophisticated threats, even as they evolve in the hands of different attackers and become unrecognizable to traditional rule-based security approaches.

Utilizing 24/7 Autonomous Response to stop both new and old threats at machine speed gives security teams the best chance of leveling the playing field against attackers. With Darktrace Antigena, the size or status of the attacking organization and their toolset is irrelevant – any anomalous and threatening behavior will be neutralized quickly and accurately, before damage can be done.

Thanks to Darktrace analyst Thomas Nommensen for his insights on the above threat find.

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Brianna Leddy
Director of Analyst Operations

More in this series

No items found.

Blog

/

Network

/

October 29, 2025

WSUS Exploited: Darktrace’s Analysis of Post-Exploitation Activities Related to CVE-2025-59287

WSUS Exploited: Darktrace’s Analysis of Post-Exploitation Activities Related to CVE-2025-59287Default blog imageDefault blog image

Introduction

On October 14, 2025, Microsoft disclosed a new critical vulnerability affecting the Windows Server Update Service (WSUS), CVE-2025-59287.  Exploitation of the vulnerability could allow an unauthenticated attacker to remotely execute code [1][6].

WSUS allows for centralized distribution of Microsoft product updates [3]; a server running WSUS is likely to have significant privileges within a network making it a valuable target for threat actors. While WSUS servers are not necessarily expected to be open to the internet, open-source intelligence (OSINT) has reported  thousands of publicly exposed instances that may be vulnerable to exploitation [2].

Microsoft’s initial ‘Patch Tuesday’ update for this vulnerability did not fully mitigate the risk, and so an out-of-band update followed on October 23 [4][5] . Widespread exploitation of this vulnerability started to be observed shortly after the security update [6], prompting CISA to add CVE-2025-59287 to its Known Exploited Vulnerability Catalog (KEV) on October 24 [7].

Attack Overview

The Darktrace Threat Research team have recently identified multiple potential cases of CVE-2025-59287 exploitation, with two detailed here. While the likely initial access method is consistent across the cases, the follow-up activities differed, demonstrating the variety in which such a CVE can be exploited to fulfil each attacker’s specific goals.

The first signs of suspicious activity across both customers were detected by Darktrace on October 24, the same day this vulnerability was added to CISA’s KEV. Both cases discussed here involve customers based in the United States.

Case Study 1

The first case, involving a customer in the Information and Communication sector, began with an internet-facing device making an outbound connection to the hostname webhook[.]site. Observed network traffic indicates the device was a WSUS server.

OSINT has reported abuse of the workers[.]dev service in exploitation of CVE-2025-59287, where enumerated network information gathered through running a script on the compromised device was exfiltrated using this service [8].

In this case, the majority of connectivity seen to webhook[.]site involved a PowerShell user agent; however, cURL user agents were also seen with some connections taking the form of HTTP POSTs. This connectivity appears to align closely with OSINT reports of CVE-2025-59287 post-exploitation behaviour [8][9].

Connections to webhook[.]site continued until October 26. A single URI was seen consistently until October 25, after which the connections used a second URI with a similar format.

Later on October 26, an escalation in command-and-control (C2) communication appears to have occurred, with the device starting to make repeated connections to two rare workers[.]dev subdomains (royal-boat-bf05.qgtxtebl.workers[.]dev & chat.hcqhajfv.workers[.]dev), consistent with C2 beaconing. While workers[.]dev is associated with the legitimate Cloudflare Workers service, the service is commonly abused by malicious actors for C2 infrastructure. The anomalous nature of the connections to both webhook[.]site and workers[.]dev led to Darktrace generating multiple alerts including high-fidelity Enhanced Monitoring alerts and alerts for Darktrace’s Autonomous Response.

Infrastructure insight

Hosted on royal-boat-bf05.qgtxtebl.workers[.]dev is a Microsoft Installer file (MSI) named v3.msi.

Screenshot of v3.msi content.
Figure 1: Screenshot of v3.msi content.

Contained in the MSI file is two Cabinet files named “Sample.cab” and “part2.cab”. After extracting the contents of the cab files, a file named “Config” and a binary named “ServiceEXE”. ServiceEXE is the legitimate DFIR tool Velociraptor, and “Config” contains the configuration details, which include chat.hcqhajfv.workers[.]dev as the server_url, suggesting that Velociraptor is being used as a tunnel to the C2. Additionally, the configuration points to version 0.73.4, a version of Velociraptor that is vulnerable to CVE-2025-6264, a privilege escalation vulnerability.

 Screenshot of Config file.
Figure 2: Screenshot of Config file.

Velociraptor, a legitimate security tool maintained by Rapid7, has been used recently in malicious campaigns. A vulnerable version of tool has been used by threat actors for command execution and endpoint takeover, while other campaigns have used Velociraptor to create a tunnel to the C2, similar to what was observed in this case [10] .

The workers[.]dev communication continued into the early hours of October 27. The most recent suspicious behavior observed on the device involved an outbound connection to a new IP for the network - 185.69.24[.]18/singapure - potentially indicating payload retrieval.

The payload retrieved from “/singapure” is a UPX packed Windows binary. After unpacking the binary, it is an open-source Golang stealer named “Skuld Stealer”. Skuld Stealer has the capabilities to steal crypto wallets, files, system information, browser data and tokens. Additionally, it contains anti-debugging and anti-VM logic, along with a UAC bypass [11].

A timeline outlining suspicious activity on the device alerted by Darktrace.
Figure 3: A timeline outlining suspicious activity on the device alerted by Darktrace.

Case Study 2

The second case involved a customer within the Education sector. The affected device was also internet-facing, with network traffic indicating it was a WSUS server

Suspicious activity in this case once again began on October 24, notably only a few seconds after initial signs of compromise were observed in the first case. Initial anomalous behaviour also closely aligned, with outbound PowerShell connections to webhook[.]site, and then later connections, including HTTP POSTs, to the same endpoint with a cURL user agent.

While Darktrace did not observe any anomalous network activity on the device after October 24, the customer’s security integration resulted in an additional alert on October 27 for malicious activity, suggesting that the compromise may have continued locally.

By leveraging Darktrace’s security integrations, customers can investigate activity across different sources in a seamless manner, gaining additional insight and context to an attack.

A timeline outlining suspicious activity on the device alerted by Darktrace.
Figure 4: A timeline outlining suspicious activity on the device alerted by Darktrace.

Conclusion

Exploitation of a CVE can lead to a wide range of outcomes. In some cases, it may be limited to just a single device with a focused objective, such as exfiltration of sensitive data. In others, it could lead to lateral movement and a full network compromise, including ransomware deployment. As the threat of internet-facing exploitation continues to grow, security teams must be prepared to defend against such a possibility, regardless of the attack type or scale.

By focussing on detection of anomalous behaviour rather than relying on signatures associated with a specific CVE exploit, Darktrace is able to alert on post-exploitation activity regardless of the kind of behaviour seen. In addition, leveraging security integrations provides further context on activities beyond the visibility of Darktrace / NETWORK, enabling defenders to investigate and respond to attacks more effectively.

With adversaries weaponizing even trusted incident response tools, maintaining broad visibility and rapid response capabilities becomes critical to mitigating post-exploitation risk.

Credit to Emma Foulger (Global Threat Research Operations Lead), Tara Gould (Threat Research Lead), Eugene Chua (Principal Cyber Analyst & Analyst Team Lead), Nathaniel Jones (VP, Security & AI Strategy, Field CISO),

Edited by Ryan Traill (Analyst Content Lead)

Appendices

References

1.        https://nvd.nist.gov/vuln/detail/CVE-2025-59287

2.    https://www.bleepingcomputer.com/news/security/hackers-now-exploiting-critical-windows-server-wsus-flaw-in-attacks/

3.    https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus

4.    https://www.cisa.gov/news-events/alerts/2025/10/24/microsoft-releases-out-band-security-update-mitigate-windows-server-update-service-vulnerability-cve

5.    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287

6.    https://thehackernews.com/2025/10/microsoft-issues-emergency-patch-for.html

7.    https://www.cisa.gov/known-exploited-vulnerabilities-catalog

8.    https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability

9.    https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/

10. https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-attacks/

11. https://github.com/hackirby/skuld

Darktrace Model Detections

·       Device / New PowerShell User Agent

·       Anomalous Connection / Powershell to Rare External

·       Compromise / Possible Tunnelling to Bin Services

·       Compromise / High Priority Tunnelling to Bin Services

·       Anomalous Server Activity / New User Agent from Internet Facing System

·       Device / New User Agent

·       Device / Internet Facing Device with High Priority Alert

·       Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

·       Anomalous Server Activity / Rare External from Server

·       Compromise / Agent Beacon (Long Period)

·       Device / Large Number of Model Alerts

·       Compromise / Agent Beacon (Medium Period)

·       Device / Long Agent Connection to New Endpoint

·       Compromise / Slow Beaconing Activity To External Rare

·       Security Integration / Low Severity Integration Detection

·       Antigena / Network / Significant Anomaly / Antigena Alerts Over Time Block

·       Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block

·       Antigena / Network / External Threat / Antigena Suspicious Activity Block

·       Antigena / Network / Significant Anomaly / Antigena Significant Server Anomaly Block

List of Indicators of Compromise (IoCs)

IoC - Type - Description + Confidence

o   royal-boat-bf05.qgtxtebl.workers[.]dev – Hostname – Likely C2 Infrastructure

o   royal-boat-bf05.qgtxtebl.workers[.]dev/v3.msi - URI – Likely payload

o   chat.hcqhajfv.workers[.]dev – Hostname – Possible C2 Infrastructure

o   185.69.24[.]18 – IP address – Possible C2 Infrastructure

o   185.69.24[.]18/bin.msi - URI – Likely payload

o   185.69.24[.]18/singapure - URI – Likely payload

The content provided in this blog is published by Darktrace for general informational purposes only and reflects our understanding of cybersecurity topics, trends, incidents, and developments at the time of publication. While we strive to ensure accuracy and relevance, the information is provided “as is” without any representations or warranties, express or implied. Darktrace makes no guarantees regarding the completeness, accuracy, reliability, or timeliness of any information presented and expressly disclaims all warranties.

Nothing in this blog constitutes legal, technical, or professional advice, and readers should consult qualified professionals before acting on any information contained herein. Any references to third-party organizations, technologies, threat actors, or incidents are for informational purposes only and do not imply affiliation, endorsement, or recommendation.

Darktrace, its affiliates, employees, or agents shall not be held liable for any loss, damage, or harm arising from the use of or reliance on the information in this blog.

The cybersecurity landscape evolves rapidly, and blog content may become outdated or superseded. We reserve the right to update, modify, or remove any content

Continue reading
About the author
Emma Foulger
Global Threat Research Operations Lead

Blog

/

Proactive Security

/

October 24, 2025

Patch Smarter, Not Harder: Now Empowering Security Teams with Business-Aligned Threat Context Agents

Patch Smarter, Not Harder: Now Empowering Security Teams with Business-Aligned Threat Context Agents Default blog imageDefault blog image

Most risk management programs remain anchored in enumeration: scanning every asset, cataloging every CVE, and drowning in lists that rarely translate into action. Despite expensive scanners, annual pen tests, and countless spreadsheets, prioritization still falters at two critical points.

Context gaps at the device level: It’s hard to know which vulnerabilities actually matter to your business given existing privileges, what software it runs, and what controls already reduce risk.

Business translation: Even when the technical priority is clear, justifying effort and spend in financial terms—especially across many affected devices—can delay action. Especially if it means halting other areas of the business that directly generate revenue.

The result is familiar: alert fatigue, “too many highs,” and remediation that trails behind the threat landscape. Darktrace / Proactive Exposure Management addresses this by pairing precise, endpoint‑level context with clear, financial insight so teams can prioritize confidently and mobilize faster.

A powerful combination: No-Telemetry Endpoint Agent + Cost-Benefit Analysis

Darktrace / Proactive Exposure Management now uniquely combines technical precision with business clarity in a single workflow.  With this release, Darktrace / Proactive Exposure Management delivers a more holistic approach, uniting technical context and financial insight to drive proactive risk reduction. The result is a single solution that helps security teams stay ahead of threats while reducing noise, delays, and complexity.

  • No-Telemetry Endpoint: Collects installed software data and maps it to known CVEs—without network traffic—providing device-level vulnerability context and operational relevance.
  • Cost-Benefit Analysis for Patching: Calculates ROI by comparing patching effort with potential exploit impact, factoring in headcount time, device count, patch difficulty, and automation availability.

Introducing the No-Telemetry Endpoint Agent

Darktrace’s new endpoint agent inventories installed software on devices and maps it to known CVEs without collecting network data so you can prioritize using real device context and available security controls.

By grounding vulnerability findings in the reality of each endpoint, including its software footprint and existing controls, teams can cut through generic severity scores and focus on what matters most. The agent is ideal for remote devices, BYOD-adjacent fleets, or environments standardizing on Darktrace, and is available without additional licensing cost.

Darktrace / Proactive Exposure Management user interface
Figure 1: Darktrace / Proactive Exposure Management user interface

Built-In Cost-Benefit Analysis for Patching

Security teams often know what needs fixing but stakeholders need to understand why now. Darktrace’s new cost-benefit calculator compares the total cost to patch against the potential cost of exploit, producing an ROI for the patch action that expresses security action in clear financial terms.

Inputs like engineer time, number of affected devices, patch difficulty, and automation availability are factored in automatically. The result is a business-aligned justification for every patching decision—helping teams secure buy-in, accelerate approvals, and move work forward with one-click ticketing, CSV export, or risk acceptance.

Darktrace / Proactive Exposure Management Cost Benefit Analysis
Figure 2: Darktrace / Proactive Exposure Management Cost Benefit Analysis

A Smarter, Faster Approach to Exposure Management

Together, the no-telemetry endpoint and Cost–Benefit Analysis advance the CTEM motion from theory to practice. You gain higher‑fidelity discovery and validation signals at the device level, paired with business‑ready justification that accelerates mobilization. The result is fewer distractions, clearer priorities, and faster measurable risk reduction. This is not from chasing every alert, but by focusing on what moves the needle now.

  • Smarter Prioritization: Device‑level context trims noise and spotlights the exposures that matter for your business.
  • Faster Decisions: Built‑in ROI turns technical urgency into executive clarity—speeding approvals and action.
  • Practical Execution: Privacy‑conscious endpoint collection and ticketing/export options fit neatly into existing workflows.
  • Better Outcomes: Close the loop faster—discover, prioritize, validate, and mobilize—on the same operating surface.

Committed to innovation

These updates are part of the broader Darktrace release, which also included:

1. Major innovations in cloud security with the launch of the industry’s first fully automated cloud forensics solution, reinforcing Darktrace’s leadership in AI-native security.

2. Darktrace Network Endpoint eXtended Telemetry (NEXT) is revolutionizing NDR with the industry’s first mixed-telemetry agent using Self-Learning AI.

3. Improvements to our OT product, purpose built for industrial infrastructure, Darktrace / OT now brings dedicated OT dashboard, segmentation-aware risk modeling, and expanded visibility into edge assets and automation protocols.

Join our Live Launch Event

When? 

December 9, 2025

What will be covered?

Join our live broadcast to experience how Darktrace is eliminating blind spots for detection and response across your complete enterprise with new innovations in Agentic AI across our ActiveAI Security platform. Industry leaders from IDC will join Darktrace customers to discuss challenges in cross-domain security, with a live walkthrough reshaping the future of Network Detection & Response, Endpoint Detection & Response, Email Security, and SecOps in novel threat detection and autonomous investigations.

Continue reading
About the author
Kelland Goodin
Product Marketing Specialist
Your data. Our AI.
Elevate your network security with Darktrace AI