Ryuk Ransomware Updated with IP Address Blacklisting
CYBER NEWS

Ryuk Ransomware Updated with IP Address Blacklisting

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

We haven’t heard any news about Ryuk ransomware for some time but it seems its operators are back on track as the ransomware has been updated. The new variant is adding an IP address and computer blacklisting to skip the encryption of specified computers.




The latest sample of the ransomware was discovered by MalwareHunterTeam. Another researcher, Vitali Kremez, reported that the ransomware has been changed in several directions as compared to previous samples.

Ryuk Ransomware Update June 2019 – What’s New?

Apparently, the latest iteration is designed to check the output of the “arp –a” parameter for specific IP address strings. In case these strings are found, the ransomware will not encrypt the files on that computer. Here are some of the partial IP address strings in question: 10.30.4, 10.30.5, 10.30.6, or 10.31.32.

Another update of Ryuk includes the ransomware comparing the computer name to the strings “SPB”, “Spb”, “spb”, “MSK”, “Msk”, and “msk”, and if those are found, the computer won’t be encrypted.

It is most likely that all this is done so that the ransomware operators don’t target computers in Russia for encryption.

Besides these changes, the ransomware proceeds with its usual encryption process. As we wrote back in December, 2018, when it was first released, Ryuk Ransomware will encrypt the victim’s data and demand a ransom to get it restored.

Files will receive the .RYK extension as a secondary one, without any changes made to the original name of an encrypted file. The ransomware will also leave instructions inside a text file.

Related: How to Restore Files Encrypted by Ransomware (Without Decrypter)

After the encryption process is finished, the .ransomware creates a ransom note. The note is named RyukReadMe.txt as and it reads the following:

Your network has been penetrated.

All files on each host in the network have been encrypted with a strong algorithm.

Backups were either encrypted
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.

We exclusively have decryption software for your situation
More than a year ago, world experts recognized the impossibility of deciphering by any means except the oridinal decoder.
No decryption software is available in the public.
Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data.

DO NOT RESET OR SHUTDOWN – files may be damaged.
DO NOT DELETE readme files.

To confirm our honest intentions.Send 2 different random files and you will get it decrypted.
It can be from different computers on your network to be sure that one key decrypts everything.
2 files we unlock for free.

To get info (decrypt your files) contact us at
ibfosontsing@protonmail.com
or
ibfosontsing@tutanota.com

BTC wallet:
12vsQry1XrPjPCaH8gWzDJeYT7dhTmpcjL

Ryuk
No system is safe

You can visit our

Ryuk removal article for more information.

Avatar

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...