Ryuk Ransomware Adds IP and Computer Name Blacklisting


A new variant of the Ryuk Ransomware has been discovered that adds IP address and computer blacklisting so that matching computers will not be encrypted.

This new sample was discovered yesterday by MalwareHunterTeam, who saw that it was signed by a digital certificate. After this sample was examined by security researcher Vitali Kremez, it was discovered that a few changes were made to this variant that was not seen in previous samples.

Kremez found that with this new variant, the ransomware will check the output of arp -a for particular IP address strings, and if they are found, will not encrypt the computer.

TOP ARTICLES1/5READ MOREGoogle Chrome Canary Flag Makes The Browser a Colorful Mess

The partial IP address strings that are searched for are 10.30.4, 10.30.5, 10.30.6, or 10.31.32

In addition to the IP address blacklisting, this new Ryuk variant will also compare the computer name to the strings “SPB”, “Spb”, “spb”, “MSK”, “Msk”, and “msk”. If the computer name contains any of these strings, Ryuk will not encrypt the computer.

When BleepingComputer asked Kremez why he felt they were making these checks, he told us that it was likely to avoid encrypting computers in Russia.

While the ransomware continues to check a computer for the Russian, Belarusian, and Ukrainian, Russian, Ukrainian, or Belarusian, it was still possible that Russian based computer could be infected via “worming” behavior.

For example, an attacker could target a USA based computer, but Kremez fel that after using “EternalRomance exploit and SMB propagation, they could then use empire or cobalt strike” to propagate into connected systems in Russia.

By checking for the strings “MSK”, which may stand for Moskow, and “SPB”, which could mean St. Petersburg, they would avoid potentially infecting a CIS victim.

Encryption as usual

If the computer passes these checks, then it will encrypt the computer as usual and append the .RYKextension to encrypted files.

Ryuk Ransom Note
Ryuk Ransom Note

While encrypting files, it will also create RyukReadMe.html ransom notes that contain the phrase “balance of shadow universe” and email addresses that can be contacted for payment instructions.

It is not known what the “balance of shadow universe” means.

The email addresses that are currently being used in the ransom notes are [email protected] and [email protected]

Ryuk Ransom Note
Ryuk Ransom Note

As always, it is strongly advised that you do not pay the ransom if at all possible and instead restore from backup.

Protecting yourself from Ransomware

As ransomware is only damaging if you have no way of recovering your data, the most important thing is to always have a reliable backup of your files. These backups should be stored offline and not made accessible to ransomware, which have been known to target backups in the past.

While this ransomware is not being spread via spam, it is possible that it is being installed by Trojans that are. Therefore, it is important that all users be trained on how to properly identify malicious spam and to not open any attachments without first confirming who and why they were sent.

Finally, it also important to make sure that your network does not make Remote Desktop Services publicly accessible via the Internet. Instead, you should put it behind a firewall and make it only accessible through a VPN.