Ryuk-related malware scans systems to steal sensitive military data

• A new malware that seems related to the Ryuk ransomware has been reported to steal confidential financial and military information.
• This malware is said to scan for sensitive files and upload them to an FTP site.

Although it shares many similarities with Ryuk, an interesting observation is that the Ryuk ransomware only encrypts files. This new malware is stealing the files by uploading them to a site under the control of attackers.

What is happening?

Ryuk is a ransomware that is well-known in the world of cybersecurity. A new malware that appears to be associated with Ryuk, is scanning for sensitive files and uploading them to an attacker-controlled FTP site.

• The malware initiates a recursive scan of all files available in the infected machine. It looks for files with .doc or .xlsx extensions to steal.
• Along with skipping files and folders such as Microsoft and Intel while scanning, it also skips files with the .ryk extension.
• When a file with .doc or .xlsx extension is found, the malware first validates the file by checking if it contains a word document or spreadsheet.
• Names of the valid files are compared against the malware’s dictionary of keywords that include ‘military’, ‘secret’, and ‘undercover’. This indicates that the malware is specifically targeting confidential data.
• It also checks for certain first names, that are believed to be sourced from the U.S. Social Security Department’s list of top baby names.

Relationship with Ryuk Ransomware

The new malware has been observed to have a strange association with the Ryuk ransomware that has led to the speculation that they could be related in some way.

• There are code similarities between the new malware and Ryuk to look for a file named Ahnlab.
• As already mentioned, the new malware skips files that are related to Ryuk, such as those with the .ryk extension.
• The new stealer contains certain Ryuk references in its code.
• However, Ryuk runs without any dependencies but the new malware requires DLLs to execute.

The takeaway

Security researchers are still looking for samples to analyze how it infects and launches an attack.

Although it seems apparent that this stealer has ties with the notorious Ryuk ransomware, it is not clear if the group behind Ryuk is responsible for this malware, or if another group gained access to the code and modified it.