Story 1:

Some malware reads registry key values and looks for substrings in them that suggest a virtual machine

The Smoke Loader banking trojan, checks registry key values in System\CurrentControlSet\Enum\IDE
and System\CurrentControlSet\Enum\SCSI to search for substrings that match QEMU, VirtualBox,
VMware, or Xen virtualization products (Source)

FinFisher verifies that HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid does not equal

"6ba1d002-21ed-4dbe-afb5-08cf8b81ca32 (Source)

CozyCar checks the registry key values in

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall for security products (Source)

https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles

Story 2:

Top 5 ransomware and they utilize registry

https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-
operations.html

Top ransomware how they use registry keys

1. Maze (aka ChaCha ransomware) Maze ransomware, first spotted in 2019, quickly

rose to the top of its malware class. ...
Source: 1, 2, 3 , 4, 5
T1112: Modify Registry
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v
fDenyTSConnections /t REG_DWORD /d 0 /f --- enable remote desktop

T1547.001 - Registry Run Keys / Startup Folder

T1012 - Query Registry

2. Conti (aka IOCP ransomware) ...

 https://blogs.blackberry.com/en/2021/05/threat-thursday-conti-ransoms-over-400-
organizations-worldwide
https://thedfirreport.com/2021/05/12/conti-ransomware/

T1012 - Query Registry: Conti ransomware first checks the computer name belonging to the
victim, via the registry:

T1562.001 - Impair Defenses: Disable or Modify ToolsThe threat actors disabled Windows
Defender by adding the below to an already linked GPO.
T1547.001 - Registry Run Keys / Startup Folder

3. REvil (aka Sodin, Sodinokibi ransomware) ...

https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-
windows-safe-mode-encryption-mode/
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
https://blogs.blackberry.com/en/2021/05/threat-thursday-dr-revil-ransomware-strikes-
again-employs-double-extortion-tactics

T1547.001 - Registry Run Keys / Startup Folder - a couple RunOnce registry keys and then
immediately rebooted the system into Safe Mode with Networking
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\
aDTFUAIa7j :

https://malpedia.caad.fkie.fraunhofer.de/details/win.revil

4. Netwalker (aka Mailto ransomware) ...

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-
side/
https://www.cynet.com/attack-techniques-hands-on/netwalker-ransomware-report/

Registry Run Key (T1547.001): Place a value on RunOnce key

Modify Registry key (T1112): Create its own registry key in \SOFTWARE\
<uniquename>

T1547.001: A registry key will be set to maintain persistency of the payload on the host in
the following: ‘HKLM/software/’ and ‘HKCU/software/’

T1112 Registry Modification HKLM\Software\CLasses\cmdfile\shell\open\command

5. Clop ransomware.
https://x-phy.com/doppelpaymer-kia-motors/

https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware

https://eforensicsmag.com/detecting-ransomware-precursors-by-andrew-skatoff/

T1562.001: Impair Defenses: Disable or Modify Tools: Clop, disables

Windows Defender in the beginning of its execution. Cybereason detects the
malicious commands executed to silently modify related registry keys:

Source

bitpaymer

https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-
fraud-to-bitpaymer-targeted-ransomware/

Ryuk Ransomware

It added run key

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V \"microsoft

update\" /t REG_SZ /F /D "SCHTASKS /run /tn 9T6ukfi6"

https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
REVIL
The mpsvc.dll creates the registry key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\
BlackLivesMatter which contains several registry values that store encryptor runtime keys/configurations
artifacts. (2)