Cybersecurity experts detected a campaign, which includes a malware with strange associations to Ryuk ransomware, attempting to steal confidential military, financial and law enforcement data.
The digital campaign was found by the MalwareHunterTeam, which helps victims identify what ransomware may have encrypted their files. But, the strange part of this campaign is, instead of encrypting the targeted data and demand a ransom as Ryuk normally does, it actually searches victims' computers for sensitive files, steals them and uploads them to an FTP site under the hacker's control.
The experts still don't know how Ryuk lookalike lands on a targeted system but as per BleepingComputer after the execution of the attack, the stealer performs a recursive scan to look for only selective Word and Excel files to steal, while checking for strings kept on a blacklist.
Once a file or folder matches with the list that includes 77 strings, the malware stops checking it and if the data passes the blacklist, a verification process takes place to check whether the document is valid or not.
"Military," "classified," "finance," "SWIFT," "report," "secret," "clandestine," "checking," "saving," "marketwired", "10-Q", "fraud", "hack", "tank", "defence", "military", "undercover", "federal" and "routing" are all examples of terms on the list of strings and after a file matches to a term in this list, the data gets uploaded to a server controlled by the attacker.
As mentioned earlier this particular infection shares a few curious qualities with Ryuk such as containing specific string references to ".RYK" and "RyukReadMe.txt," said Vitali Kremez, a cybersecurity researcher, Dark Reading reported.
Like Ryuk, this malware also contains references to Ahnlab antivirus company and on the target machines, it checks for a file called Ahnlab. The cybersecurity expert also revealed that the malware also has a link to "UNIQUE_ID_DO_NOT_REMOVE," which is a string present in Ryuk.
"Overall, it looks like someone with the Ryuk code added additional code to make it a stealer and compiled in a different environment," said Kremez.
In addition, he mentioned that it looks like "if someone less experienced took the Ryuk code and/or tried to mimic Ryuk routines, then they copy/pasted some own code logic/code and created a new malware."
But the entire process of taking Ryuk and transforming it into a stealer is new. However, as of now, there is no evidence to know who is behind this.
It is a fact that Ryuk ransomware has been seen targeting businesses around the world. In April, Ryuk disrupts The Watertown Daily Times' Sunday paper delivery.
Two cybersecurity companies, McAfee and Coveware, stated in a report that the Ryuk attackers had extorted more than 10 times the average malware ransom "making it the costliest type of ransomware, Coveware also observed that some Ryuk ransoms were highly negotiable, while others were not. The bar-belled negotiation results generated an average ransom payment of $71k, a 60% discount from an average opening ask of $145k."