We haven’t heard any news about Ryuk ransomware for some time but it seems its operators are back on track as the ransomware has been updated. The new variant is adding an IP address and computer blacklisting to skip the encryption of specified computers.
The latest sample of the ransomware was discovered by MalwareHunterTeam. Another researcher, Vitali Kremez, reported that the ransomware has been changed in several directions as compared to previous samples.
Ryuk Ransomware Update June 2019 – What’s New?
Apparently, the latest iteration is designed to check the output of the “arp –a” parameter for specific IP address strings. In case these strings are found, the ransomware will not encrypt the files on that computer. Here are some of the partial IP address strings in question: 10.30.4, 10.30.5, 10.30.6, or 10.31.32.
Another update of Ryuk includes the ransomware comparing the computer name to the strings “SPB”, “Spb”, “spb”, “MSK”, “Msk”, and “msk”, and if those are found, the computer won’t be encrypted.
It is most likely that all this is done so that the ransomware operators don’t target computers in Russia for encryption.
Besides these changes, the ransomware proceeds with its usual encryption process. As we wrote back in December, 2018, when it was first released, Ryuk Ransomware will encrypt the victim’s data and demand a ransom to get it restored.
Files will receive the .RYK extension as a secondary one, without any changes made to the original name of an encrypted file. The ransomware will also leave instructions inside a text file.
After the encryption process is finished, the .ransomware creates a ransom note. The note is named RyukReadMe.txt as and it reads the following:
Your network has been penetrated.
All files on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.We exclusively have decryption software for your situation
More than a year ago, world experts recognized the impossibility of deciphering by any means except the oridinal decoder.
No decryption software is available in the public.
Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data.DO NOT RESET OR SHUTDOWN – files may be damaged.
DO NOT DELETE readme files.To confirm our honest intentions.Send 2 different random files and you will get it decrypted.
It can be from different computers on your network to be sure that one key decrypts everything.
2 files we unlock for free.To get info (decrypt your files) contact us at
ibfosontsing@protonmail.com
or
ibfosontsing@tutanota.comBTC wallet:
12vsQry1XrPjPCaH8gWzDJeYT7dhTmpcjLRyuk
No system is safe
You can visit our [wplinkpreview url=”https://sensorstechforum.com/remove-ryuk-ransomware-ryk-extension/”] Ryuk removal article for more information.