While Ryuk is typically known for encrypting files and then placing a ransom on them. The new malware that has been discovered uses Ryuk’s file encryption tactics but exfiltrates the documents onto an FTP site that is controlled by the attacker rather than encrypting the documents. A looping scan is run by the malware, searching for files with .doc and .xlsx extensions while skipping files and folders with references to Microsoft, Intel, and .ryk. If a .doc or .xlsx extension is located, it will be verified by the malware to make sure it contains a document or spreadsheet. A keyword list is then used to pull the files that include “marketwired,” “10-Q,” “fraud”, “hack,” “tank,” “defence,” “military,” “checking,” “classified,” “secret,” “clandestine,” undercover,” “federal,” giving the indication that the malware is exclusively seeking confidential and financial information. Another interesting search criterion is specific first names that are believed to be compiled by the US Social Security Department in reference to the top baby names. The relation to Ryuk was noticed by researchers in the code, with both looking for the file name Ahnlab. Ryuk operates without dependencies, while DLL is required to execute the new malware. It is unknown if the new malware was created by the same group that curated Ryuk or if another group simply gained access to the source code and modified it for their use. Researchers are searching for more samples to figure out its install process.
With all the news around COVID-19/Coronavirus, the average person is turning to the internet for