A new version of the popular Ryuk stealer malware has been found targeting the sensitive information of governments, military, financial statements, banks, and many other sectors.
The new Ryuk stealer malware has newly added features and designed to operate after identifying certain keywords that can be dangerous to military operations and government functions. There are about 85 keywords and a number of file extensions that are compatible with the operation of the malware. This indicates the smartness of hackers as they always look forward to upgrading their tools to overcome whatever resistance imposed by the latest updated cybersecurity tools.
For now, it is not known whether the Ryuk stealer malware was launched by the earlier Ryuk Ransomware actors, or a different Ransomware developer using the Ryuk Ransomware code. However, according to the Head of SentinelLabs, Vitali Kremez, it is more likely that the actors of the earlier version of this malware repurposed the code portion for the latest discovered version. This version exfiltrates data before encrypting the targeted file. This type of file must match the file extensions and the keywords designed with the malware before executing any order.
Image Source: www.bleepingcomputer.com
The analysis conducted by researchers revealed that the new version of the Ryuk stealer malware has newly added keywords and a new file content scanning feature as well as newly added files. The older version only targets and scan computer files for Microsoft Word (Docx) and Microsoft Excel (xlsx). Additional files have been added to the new version in addition to the Microsoft Word and Excel. These are JPG image files, cryptocurrency wallets, PDFs and files related to C++ source code.
The Ryuk stealer malware is designed to check the file name if any of the 55 keywords specified is found. This is after the targeted file extension matches any of the file extensions added to the malware. It then scans the content of the file for a match of any of its listed 85 keywords.
According to the report, the Ryuk stealer malware attackers have also created two FTP websites used to complete the operation. The campaign has been designed in a way that any match found by the Ryuk stealer malware is uploaded to the FTP sites. The report has revealed that the two FTP sites are currently down.
The targeted keywords scanned by the malware for a possible match are the sensitive names in any of the categories. Under the military category, the malware searches for matches of “Nato, Attack, operation, tactical, submarine, tank, and co.” Under the Law Enforcement category, the Ryuk malware stealer searches for “ federal, bureau, investigation, government, victim, court and co”. Under the Banking category, some of the keywords searched for are “SWIFT, IBAN, statement, Saving, and co”. Under the finance category are “Newswire, Marketwired, and co”. Under the Personal category are “Passport, Personal, Olivia, Noah, and co”. The earlier version had some of these keywords. In the new version, more names including “Cyber, Submarine, Contraband, Operation, Bribery, Nato and others” have been added. The report revealed that the hackers got the names under the Personal category from the United States Social Security Department’s List of top baby names.
Image Source: www.zdnet.com
The last quarter of 2019 to the first month of 2020 has been packed with many incidents of ransomware attacks. There have been many reported cases of hackers coming out with updated versions of some popular malware. The researchers of the Ryuk stealer malware are yet to know how this malware is distributed. It was also not mentioned whether the Ryuk stealer malware is used independently or bundled with ransomware attacks. However, it is clear that they haunt for sensitive information in a bid to sell them to corporations. In other cases, they can be used to blackmail the affected company to extort funds.
Ransomware can be prevented by investing in a cybersecurity tool that has a real-time ability to deal with any advanced malware. There is also the need to avoid opening emails from untrusted sources and visiting unsecured websites as reported. More importantly, have a complete backup of all sensitive data to avoid losing data encrypted by hackers. Data kept on an external drive must be removed from the computer when not in use. It is important to train all staff to have a fair knowledge of basic cybersecurity to avoid any attempt by hackers to take advantage of their no or limited cybersecurity lessons.
The idea of almost all ransomware attackers is to encrypt data and demand ransom in other to provide the decryption key. It is always advisable to ignore their ransom demand as there is no guarantee of getting back the encrypted data. Most companies that pay ransom can still have their stolen data sold on the dark web or to adversaries.
Source: Bleeping Computer
Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation to the reliance on or usage of any content, goods or services mentioned in this article.