A new feature in Windows is the addition of the Windows Subsystem for Linux (WSL), which allows Linux distribution installs directly onto Windows. Ryuk’s authors are aware of this, and have added additional blacklists to prevent the encryption of these folders which would render the WSL unusable.
The List of blacklisted *NIX folders are:
• bin
• boot
• Boot
• dev
• etc
• lib
• initrd
• sbin
• sys
• vmlinuz
• run
• var
Analyst Notes
As ransomware is pretty nasty in its modus operandi (encrypting your files and holding them for ransom), Binary Defense’s analysts recommend you follow the 3-2-1 backup rule.
The rule is:
• keep at least three (3) copies of your data
• store two (2) backup copies on different storage media
• one (1) of these backups must be located offsite.
This will ensure that your data remains safe and secure, even in the worst-case scenario.
Additionally, Ryuk is never dropped on its own and is typically indicative of an extensive malware infection, sometimes lasting for months. Our analysts recommend that you occasionally investigate computers on your network for signs of trickbot infections (searching Appdata/Roaming), as sometimes these infections will evade antivirus until its too late.
