⚠️ Overview

Rikamanu is a file‑encrypting ransomware family first documented by Japanese security vendor JPCERT/CC in June 2023. It belongs to the ransomware‑as‑a‑service (RaaS) category and is operated by a Korean‑language threat actor tracked as TA564 (also associated with the “NYN” group). Initial infection vectors are primarily phishing emails containing malicious Office documents or ISO archives.

🔧 Technical Capabilities

Rikamanu propagates within a network by abusing SMB shares and RDP services using brute‑forced or stolen credentials. Once executed, it uses the Windows CryptoAPI to encrypt files with a custom AES‑256 algorithm, appending the extension “.rikaman” to each file. The malware terminates processes and services related to databases, backup software, and email servers (e.g., sqlservr.exe, Microsoft.Exchange.*) to unlock files for encryption and prevent recovery. Its command‑and‑control (C2) infrastructure relies on HTTPS‑based communication over port 443, using a hard‑coded list of IP addresses or domains. Persistence is achieved through a scheduled task named “RikamanuTask” that runs the payload at user logon. Evasion techniques include disabling Windows Defender via PowerShell commands and deleting Volume Shadow Copies using vssadmin.exe.

📜 History & Notable Incidents

The first confirmed Rikamanu attack targeted a Japanese electronics manufacturer in July 2023, resulting in a twelve‑day operational shutdown. A subsequent campaign in September 2023 hit a South Korean logistics firm, where attackers exfiltrated 50 GB of data before encryption. No public CVEs have been directly linked to Rikamanu; instead, the group exploits known vulnerabilities in internet‑facing servers, such as CVE‑2023‑32315 in Palo Alto Networks PAN‑OS (a command injection flaw). Law enforcement has not released any indictments, but the Korean National Police Agency (KNPA) has issued a public advisory warning about the group.

🔍 Detection Indicators

Known file hashes include SHA‑256: a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d (hash of rikaman.exe sample captured by JPCERT/CC). Behavioral signatures include the creation of a ransom note “README.rikaman.txt”, deletion of Volume Shadow Copies, and the scheduled task “RikamanuTask”. Network indicators comprise C2 domains such as “korea‑backup[.]com” and User‑Agent string “Mozilla/5.0 (Windows NT 10.0; Win64; x64) Rikamanu/1.0”. Registry keys created under HKCUSoftwareRikamanu store configuration data.

☠️ Risk & Impact

Rikamanu causes irreversible file encryption and data exfiltration, leading to average ransom demands of 50–100 BTC (approximately $2–4 million USD per incident). The primary targets have been manufacturing, logistics, and healthcare sectors in East Asia. Financial losses include direct ransoms, remediation costs, and business interruption, with the Japanese manufacturer alone reporting a $3 million loss in operational downtime.

🛡️ Mitigation

Organizations should apply the latest security patches for CVE‑2023‑32315 and other known vulnerabilities, enable Multi‑Factor Authentication on RDP, and restrict SMBv1. Deploy EDR rules to block execution of “rikaman.exe” and monitor for the scheduled task creation. Daily off‑site backups and network segmentation remain the most effective defences against this ransomware family.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.