Jump to content
mDOS

Ransomware Responsible for Attack on its Maritime Facility

Recommended Posts

Ryuk ransomware developers have released a new version of the program that bypasses the folders that are most often found on UNIX-like systems.

According to the Bleeping Computer portal, the attack on New Orleans (Louisiana, USA), which took place earlier this month, used the Ryuk version with the name of the executable file v2.exe. Security researcher Vitaly Kremez studied it and discovered an interesting change - the ransomware stopped encrypting folders associated with UNIX-like systems. In particular, bin, boot, Boot, Dev, etc, lib, initrd, sbin, sys, vmlinuz, run, and var were included in the blacklist of folders Ryuk now bypasses.

It would seem, why should ransomware for Windows blacklist folders of UNIX-like systems? There is no Linux / Unix version of Ryuk, however, there are cases when Linux folders were encrypted as a result of ransomware attacks.

The fact is that in Windows 10 there is a WSL function (Windows subsystem for Linux) that allows you to install Linux distributions directly on Windows machines, and these settings just use the folders listed above. Due to the growing popularity of WSL as a result of attacks using Ryuk, Linux folders were also increasingly encrypted. When the ransomware encrypts these folders, the Linux installations stop working.

The goal of ransomware operators is to encrypt user data, rather than disabling the operating system. Having blacklisted Linux folders, Ryuk operators saved themselves from the additional headache associated with restoring the system after a victim has paid the ransom.

Source: https://www.securitylab.ru/news/503738.php

  • Upvote 3

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...