Ryuk Ransomware stops encrypting Linux directory
By putting a bunch of Linux directories on the blacklist, the people behind Ryuk have removed one more headache that they need to solve.
In the latest attack, the ransomware Ryuk (Ryuk Ransomware) caused the entire public computer system of New Orleans, Louisiana, USA to be locally crippled by using an executable file called v2. .exe. After analyzing this malicious executable file, well-known security researcher Vitali Kremez discovered an interesting change in the way ransomware works, that it no longer encrypts certain types of mail. The item is associated with * NIX operating systems.
The * NIX directory in Ryuk's blacklist includes: bin, boot, Boot, dev, etc, lib, initrd, sbin, sys, vmlinuz, run, Var.
This is obviously a strange phenomenon when a malicious Windows program lists the * NIX directories blacklisted when encrypting files. There are even questions about whether there is a Ryuk Unix variant when the data stored in these operating systems has been encrypted during many of Ryuk's previous attacks.
Ryuk's Linux / Unix variant does not exist, but Windows 10 contains a feature called Windows Subsystem for Linux (WSL) that allows you to install various Linux distributions directly in Windows, and those That Linux distribution will definitely have to use the directories listed in the above list.
With the growing popularity of WSL, Ryuk is able to encrypt a Windows device at some point and this affects the * NIX system folders used by WSL, while also causing WSL installations. This cannot work. That's why Ryuk can affect NIX devices through WSL.
The ultimate goal of all malicious code is nothing but encrypted data of the victim but at the same time does not affect the function of the operating system. Therefore, this new change in the way Ryuk operates can be considered as an 'evolutionary step', making it more dangerous.
By putting a bunch of Linux directories on the blacklist, the people behind Ryuk have removed an additional headache that they need to solve for people who accept ransom payments but have a broken WSL setting corrupted by ransomware.
You should read it
- What is Ransomware Ryuk? How to prevent it?
- Ryuk Ransomware has added 'selective' encryption capabilities.
- Strange ransomware detection only attacks the rich
- PureLocker - a very 'weird' ransomware strain that can encrypt servers
- Another large Data Center service provider became a victim of ransomware
- Ransomware (ransomware) is showing signs of explosion worldwide, paying is no longer the most effective option.
- Warning: These 3 dangerous ransomware could explode all over the world, 1800 large enterprises were 'shot'.
- Mexico's largest oil and gas corporation has been attacked by ransomware, presenting a cyber security disaster
- STOP - Ransomware is the most active in the Internet but rarely talked about
- 7 kinds of ransomware you didn't expect
- Take a look at the most significant threats from the security world in 2019
- Ransomware STOP started installing Trojans to steal victim passwords
Maybe you are interested
5 best motherboards for Threadripper CPUs How to Access Public Folders in Outlook 2016 on PC or Mac AI models use aerial and ground data to navigate areas that are difficult to observe The search engine and the race App Store changes 'Free' button with 'Get' button 11 clear signs that you are a low EQ