Five days later, Ryuk has a conversation with Light. The simple reason he gives about why he dropped the Death Note into the human world is that because he is bored. He then tells Light that, since he was the one who found the notebook, it belongs to him. If he does not need it anymore, he can pass it to anyone else. But when it is the time for Light to die, Ryuk will write his name down. Light then explains to Ryuk that he wishes to cleanse the world of evil criminals, and becomes the God of the new world. Ryuk tells Light that, if he were to do that, the only bad person left would be Light himself. Light ignores his comment, maintaining that he is entirely sincere. Ryuk then comments that humans are interesting. It is interesting to see that there is yet another typo, this one is in the first command that prevents the command from running successfully (the letter ‘e’ is missing in the word “delete”). The sample uses a known and simple persistence method. It sets the following registry key using cmd.exe, which in turn invokes reg.exe to set the registry key: Customization options from Chaos v4.0 are also unchanged, which gives the threat actor the following options:

It’s not often that we get to observe the behind-the-scenes drama that can accompany the creation of new malware, but when we do, it gives us a fascinating glimpse into how threat actors operate. One such glimpse, stemming from an online exchange between a ransomware perpetrator and a victim, gave us new insights into the origins of Chaos malware, revealing a twisted family tree that links it to both Onyx and Yashma ransomware variants. Tom S. Pepirium of IGN said that "Brian Drummond IS Ryuk." Pepirium described Drummond's voice as "excellent" and that this makes it "hilarious" to watch "Ryuk and his never-ending grin giggle at the events he put into motion." Compared to other families of ransomware, Ryuk has very few safeguards to ensure stability of the host by not encrypting system files. For example, many ransomware families contain extensive lists of file extensions or folder names that should not be encrypted (whitelisted), but Ryuk only whitelists three extensions: It will not encrypt files with the extensions exe , dll , or hrmlog . The last extension appears to be a debug log filename created by the original Hermes developer. It should be noted that absent from this list is sys (system drivers), ocx (OLE control extension) and other executable file types. Encrypting these files could make the host unstable. Early versions of Ryuk included the whitelisting of ini and lnk files, but these have been removed in recent builds. The following folder names are also whitelisted and not encrypted. The first executable, bitsran.exe , is a dropper, and RSW7B37.tmp is the Hermes ransomware executable. The dropper’s goal is to propagate the Hermes executable within a network by creating scheduled tasks over SMB sessions using hard-coded credentials. The Hermes executable then encrypts files on the host. It is interesting to note that the compiler and linker for Hermes is different from the other executables. All of the executables except for Hermes were compiled with Visual Studio 10, with a linker of Visual Studio 10. Hermes, in contrast, was compiled with Visual Studio 9, with an unknown linker.Hermes ransomware, the predecessor to Ryuk, was first distributed in February 2017. Only one month after its release, a decryptor was written for Hermes, followed by the release of version 2.0 in April 2017, which fixed vulnerabilities in its cryptographic implementation. Since this release, the only way for a victim to recover files is with the private encryption key, which is obtained by paying the ransom. In late August 2017, Hermes version 2.1 was released. In other media Relight anime films Main articles: Death Note Relight 1: Visions of a God and Death Note Relight 2: L's Successors The host discovery algorithm works in two stages. First, the sample attempts to discover which subnets the machine is connected to, and during the second stage it scans the subnet. cmd.exe /C REG ADD “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run“ /v "svchos" /t REG_SZ /d "\" /f If executed on a 64 bit system, it will append the string by adding “/reg:64” to the command. This exact persistence method was used by previous samples as well. Wake-up Network Devices

Falcon Intelligence has medium-high confidence that the WIZARD SPIDER threat actors are operating out of Russia. Hermes was originally advertised on exploit[.]in . This Russian-speaking forum is a well-known marketplace for selling malware and related services to criminal threat actors. If Hermes was indeed related to STARDUST CHOLLIMA, it would imply that nation-state threat actors are selling their services on Russian-speaking forums, which is unlikely. Light was gonna use that thing to make himself god of the New World. Doesn't that interest you?” ( L: Change the WorLd) Although otherwise basic, Chaos-spawned malware had over a hundred targeted file-extensions that it would attempt to encrypt. Additionally, the malware had a list of files it would avoid targeting, including .DLL, .EXE, .LNK and .INI. These exclusions were likely there to prevent crashing the victim’s device by encrypting necessary system files. You have lost, Light. Didn't I say in the beginning… when you die, the one who'll write your name down in a notebook will be me. That is… the deal between the Shinigami… and the first human to get their hands on the note in the human world. Once you enter the prison, I don't know when you'll die. It's annoying to wait… Your life is already over. You'll die here. Well, it was good while it lasted… We killed some boredom, didn't we? We did some various and interesting things…” ( Episode 37)The encryption of local and mapped drives is done in 6 rounds. On each of these rounds, Ryuk will enumerate all the drives from A: to Z: and will then encrypt drives based on their types, which it gets using the GetDriveTypeA API. These are the drive types which will be encrypted on each round: It feels sturdy and well-made, with no loose parts or wobbliness. The materials used seem durable, ensuring that it will withstand the test of time and retain its quality even after prolonged display. Chaos (and subsequently Yashma) have seen rapid development and advances throughout the last year, with its most recent iteration, “Yashma” (Chaos v6.0), found in-the-wild in mid-2022. This fact indicates that operators behind Ryuk malware carefully study each victim and perform expensive scouting and network mapping.

Death Note 13: How to Read describes Ryuk in the Death Note yonkoma as, of the characters, one who "may" be the character most resembling the equivalent character in the Death Note series. The last step is executed forever, as Ryuk will continuously attempts to discover new victims on the network and encrypt them.It now has functionality to prevent it from running based on the victim’s location, determined via the language set on the victim device. This is a ploy often used by threat actors to avoid legal trouble in their country of origin.

This initial edition of Chaos overwrites the targeted file with a randomized Base64 string, rather than truly encrypting the file. Because the original contents of the files are lost during this process (seen in Figure 4), recovery is not possible, thus making Chaos a wiper rather than true ransomware. Ryuk does not encrypt files from within its own process memory space, but injects into a remote process. Before injecting into a remote process, Ryuk attempts to adjust its token privileges to have the SeDebugPrivilege . It takes no action if the adjustment of the token privileges fails. Before injecting into a remote process, Ryuk also calls CreateToolhelp32Snapshot to enumerate all running processes. If a process is found that is not named csrss.exe , explorer.exe , lsaas.exe , or is running under NT AUTHORITY system account, Ryuk will inject itself into this single process. By ensuring that the process is not running under NT AUTHORITY , the developers are assuming the process is not running under another account and therefore can be written to. Ryuk uses a combination of VirtualAlloc , WriteProcessMemory and CreateRemoteThread to inject itself into the remote process. Process/Service Termination and Anti-Recovery Commands Lateral movement is continued until privileges are recovered to obtain access to a domain controller. Sometime after Light's death and Ryuk's return to the Shinigami Realm, Ryuk becomes popular among other Shinigami due to his time spent in the Human World with Light. Eventually, Ryuk's story catches the attention of an unnamed Shinigami, who visits Ryuk to hear it.Open-source reporting has claimed that the Hermes ransomware was developed by the North Korean group STARDUST CHOLLIMA (activities of which have been public reported as part of the “Lazarus Group”), because Hermes was executed on a host during the SWIFT compromise of FEIB in October 2017. Table 1 contains samples that are possibly attributed to the compromise. The two executables related to Hermes are bitsran.exe and RSW7B37.tmp . All humans die the same, the place they go after death isn't decided upon by a god it is Mu (nothingness). A video recorded in the ANY.RUN malware hunting service allows us to watch the execution process of Ryuk malware in action. Figure of Ryûk, the most famous God of Death. He was the one who dropped the Death Note that Light Yagami retrieved from the human world before becoming Kira the main character of the anime Death Note™