A new family of malware with an apparent connection to the notorious Ryuk ransomware was uncovered — but instead of encrypting files, they were found targeting government-, military-, and finance-related files. Trend Micro detects this threat as Ransom.Win32.RYUK.THIABAI and proactively detects this as Troj.Win32.TRX.XXPE50FFF031 through machine learning detection capabilities built in into Trend Micro solutions.
Found and analyzed by security researcher Vitali Kremez, the malware performs recursive scanning (repetitively checking if the files, directories, and sub-directories are modified based on timestamps) and searches for Microsoft Word and Excel files to steal. The malware also uses certain strings to blacklist certain files, including those related to Ryuk, such as RyukReadMe.txt, which usually contains the ransomware’s ransom note; and files with the .RYK extension, which the ransomware appends after encrypting a file. MalwareHuntingTeam researchers also analyzed an infected computer bearing the same scanning and data exfiltration routines.
If the file isn’t blacklisted, the malware then double checks if it is indeed a valid Word or Excel file. The file then undergoes several checks before it is uploaded to an attacker-owned FTP server. The file is compared against the malware’s list of 77 strings, some of which include “tank,” “defence,” “military,” “classified,” “secret,” “clandestine,” “undercover,” and “federal” among others. The malware also searches for files that has these names: “Emma,” “Isabella,” “James,” “Liam,” “Logan,” “Noah,” “Olivia,” “Sophia,” and “William.” Kremez and other security researchers inferred that these names are those listed by U.S. Social Security as the top baby names in 2018.
The researchers also noted the malware’s interesting similarities to Ryuk. For one, the malware has a function that creates a file that it appends with the .RYK extension, but this isn't enabled on the malware. It also checks for the presence of a security software. “It might indicate someone with source access to Ryuk ransomware simply copy/pasted and modified code to make it a stealer or look like it,” Kremez told BleepingComputer, who reported the discovery.
The reuse of existing threats isn’t new, what with their accessibility in public repositories (either as proofs of concept or for legitimate use like penetration testing) and availability in underground marketplaces. The ransomware family CrypMIC, for instance, attempted to mimic the notorious CryptXXX ransomware's ransom notes and user interfaces in its payment pages. The same could also be said for the Sodinokibi ransomware, which has apparently taken over the ransomware-as-a-service (RaaS) Gandcrab. When it made headlines, LockerGoga, too, appeared to have similarities with Ryuk.
This seemingly new threat, however, is notable for the specificity of its targets — namely, confidential information related to the military, criminal investigation, and finance or banking. And given how this malware can also spread to other systems, a defense-in-depth approach to securing online infrastructures is important. For example, the malware scans for the infected computer’s address resolution protocol (ARP) table, which stores IP addresses of other computers within the local area network (LAN) — enabling the attackers to install the malware to other computers in order to steal more files.
Here are some best practices that organizations can adopt to protect against information-stealing threats:
Regularly update and patch systems, networks, and servers to remove exploitable vulnerabilities (or employ virtual patching for legacy and embedded systems or software).
Enforce the principle of least privilege by disabling or restricting the use of tools, software, or other components that are normally reserved for system administrators.
Nurture a cybersecurity-aware workforce, especially against socially engineered threats that could trick employees into downloading and installing malware.