Discovering a strange malware, attacking the rich only09/07/2019
Recently, security researchers realized some crucial changes applied with a new variant of Ransomware Ryuk, which cannot be found in the last versions.
Unlike the other ransomware, which usually apply various ways to spread toxic code to users, this Ryuk ransomware infects the users selectively. Particularly, Ryuk ransomware only infects the malicious code with the big enterprises, based on the security gap created by another malware named Trickbot, before. The surprising fact is that the small enterprises or firms, which were also infected by Trickbot, were not attacked or intruded by Ryuk.
Based on Trickbot, Ryuk will scan the object’s system, search for the human resources and the ability to pay for their huge amount of ransom. To let the business unexpected, this malware will not attack instantly but probe the most important system, then start to attack a large scale.
Security researcher Vitali Kremez elaborately studied about this variant and found that Ryuk ransomware is provided an ability to check the output of arp –a for a particular IP chain and if these chains are found, they will not encode the victims’ PC. Besides, the local IP chains are searched by malware including 10.30.4, 10.30.5, 10.30.6 or 10.31.32.
Besides the IP blacklist, this Ryuk variant can compare the target PC with many chains namely “SPB”, “Spb”, “spb”, “MSK”, “Msk” và “msk”. If the target contains this chain, Ryuk will not encode the PC’s data.
In contrast, if the target computer’s system does not include the “identified character” of the toxic code, it will encode as usual. The files successfully encoded by Ryuk will have an extended ending. While encoding, files also create itself RyukReadme.html with the text of noting the ransom containing the phrase “ balance of shadow universe” and some emails for victims to contact and pay their ransom.
Up to now, ransomware Ryuk gets more than 4 million US dollars in the form of bitcoin through encoding data and blackmailing some large enterprises.
Protecting data against the spread of ransomware Ryuk
Actually, ransomware only does damage in case the victim absolutely cannot restore the data when it was encoded. Therefore, owning a backup is highly recommended for every enterprise.
Although this malware is not usually spread through spams like other reputed ransomware, it can be installed by Trojan. Hence, the next important things to be done is that all computers’ users, in particular, enterprises’ staff need training, as well as implementing more knowledge of toxic email, being cautious of attached files, ambiguous URL. To be safer, enterprises should consider using email security solutions which can help them increase the trust in email and thoroughly prevent malware, ransomware “hidden” in email.
Finally, be sure that your internet system cannot let the Remote Desktop Service publicly access on the internet.
Vnetwork Joint Stock Company
+84 28 7306 8789
Need more information?