Ryuk Ransomware Variant Blacklists IP Addresses, Computers
A new variant of the Ryuk ransomware, which blacklists IP addresses and computers and thus simplifies the infection process, has been detected. MalwareHunterTeam had discovered this new sample which adds IP address and computer blacklisting so that the matching computers will not be encrypted.
A BleepingComputer report dated June 19, 2019 says, “A new variant of the Ryuk Ransomware has been discovered that adds IP address and computer blacklisting so that matching computers will not be encrypted…This new sample was discovered yesterday by MalwareHunterTeam, who saw that it was signed by a digital certificate. After this sample was examined by security researcher Vitali Kremez, it was discovered that a few changes were made to this variant that was not seen in previous samples.”
According to the report, Vitali Kremez found that this new Ryuk ransomware variant would check the output of arp -a for particular IP address strings. If the strings are found, it wouldn’t encrypt the computer.
“The partial IP address strings that are searched for are 10.30.4, 10.30.5, 10.30.6, or 10.31.32, ” the BleepingComputer report says, and adds, “In addition to the IP address blacklisting, this new Ryuk variant will also compare the computer name to the strings “SPB”, “Spb”, “spb”, “MSK”, “Msk”, and “msk”. If the computer name contains any of these strings, Ryuk will not encrypt the computer.”
Once the check is done and the computer doesn’t have any of these strings, the Ryuk variant would encrypt it and append the .RYK extension to encrypted files. Alongside encrypting the files, RyukReadMe.html ransom notes would also be created; these ransom notes would contain the phrase “balance of shadow universe” (the meaning of which experts haven’t yet understood) and would also contain the email addresses firstname.lastname@example.org and email@example.com, which could be contacted for payment-related instructions.
Researcher Vitali Kremez has the opinion that the ransomware makes the checks most probably to avoid encrypting Russian computers. There is the speculation that the string “MSK” may stand for Moscow and “SPB” could mean St. Petersburg.
Users can, to protect themselves from this and all other ransomware strains, try to stay cautious of spam emails and not open any attachments or links without confirming the genuineness of the same. Similarly, having backups, using firewall and other necessary advanced security software, staying away from unsecured networks, patching software on time etc helps keep ransomware at bay.