Recently one came to light new malware, which appears to be related to ransomware Ryuk, which scans for information systems to steal sensitive personal and military information and then uploads them to an FTP site.
Although it has many similarities to Ryuk, one key difference between them is that while Ryuk only encrypts files, this new malware steals files by uploading them to a site that you control from intruders.
What exactly is going on?
The new malware activates a scan of all the files available on the infected machine. Looks for files with .doc or .xlsx extensions to steal.
Malware ignores files and folders like Microsoft and Intel while scanning, and also overrides files with the .ryk extension. When a file with a .doc or .xlsx extension is detected, the malware first validates the file by checking whether it contains a document or word worksheet.
The names of valid files are compared to a list of malicious keywords, which includes words such as "military", "secret" and "hidden". This shows that the malware specifically targets confidential data. It also checks for certain names, which are believed to come from the US Social Insurance Agency's list of the most popular names.
Similarities to Ryuk Ransomware
As has been observed, this new malware has similarities to Ryuk ransomware, which has led to speculation that they might be related in some way.
There are code similarities between the new malware and Ryuk.
As already mentioned, the new malware skips files related to Ryuk, such as the .ryk extension, and also contains some references to Ryuk in its code.
However, Ryuk does not need prerequisites for it to run, as opposed to new malware that requires DLL execution.
Security investigators are still searching for samples to analyze how the hacker infect and launch an attack.
While this malware appears to be related to the infamous Ryuk ransomware, it is not clear if the team behind Ryuk is responsible for this malware or if another team has accessed the code and modified it.