Ryuk Ransomware stops encrypting Linux directory

By putting a bunch of Linux directories on the blacklist, the people behind Ryuk have removed one more headache that they need to solve.

In the latest attack, the ransomware Ryuk (Ryuk Ransomware) caused the entire public computer system of New Orleans, Louisiana, USA to be locally crippled by using an executable file called v2. .exe. After analyzing this malicious executable file, well-known security researcher Vitali Kremez discovered an interesting change in the way ransomware works, that it no longer encrypts certain types of mail. The item is associated with * NIX operating systems.

Picture 1 of Ryuk Ransomware stops encrypting Linux directory

The * NIX directory in Ryuk's blacklist includes: bin, boot, Boot, dev, etc, lib, initrd, sbin, sys, vmlinuz, run, Var.

This is obviously a strange phenomenon when a malicious Windows program lists the * NIX directories blacklisted when encrypting files. There are even questions about whether there is a Ryuk Unix variant when the data stored in these operating systems has been encrypted during many of Ryuk's previous attacks.

Ryuk's Linux / Unix variant does not exist, but Windows 10 contains a feature called Windows Subsystem for Linux (WSL) that allows you to install various Linux distributions directly in Windows, and those That Linux distribution will definitely have to use the directories listed in the above list.

With the growing popularity of WSL, Ryuk is able to encrypt a Windows device at some point and this affects the * NIX system folders used by WSL, while also causing WSL installations. This cannot work. That's why Ryuk can affect NIX devices through WSL.

The ultimate goal of all malicious code is nothing but encrypted data of the victim but at the same time does not affect the function of the operating system. Therefore, this new change in the way Ryuk operates can be considered as an 'evolutionary step', making it more dangerous.

By putting a bunch of Linux directories on the blacklist, the people behind Ryuk have removed an additional headache that they need to solve for people who accept ransom payments but have a broken WSL setting corrupted by ransomware.

Update 30 December 2019
Category

System

Mac OS X

Hardware

Game

Tech info

Technology

Science

Life

Application

Electric

Program

Mobile