Ransomware victims become “clients”. The cybersecurity expert MalwareHunterTeam discovers a new press release by the group with rules and threats.
MalwareHunterTeam discovers a new variant of the Ryuk ransomware: it adds IP and Computer Name blacklisting to avoid encrypting machines in Russia
There is a new version of the Ryuk Ransomware in the wild. It adds IP address and computer blacklisting, so that matching machines won’t be encrypted. It has been discovered by MalwareHunterTeam cyber security experts. The researchers found that with this new variant, the malware will check the output of arp-a for particular IP address strings, and if they are found, will not encrypt the computer. In addition, the new malicious code will also compare the computer name to the strings “SPB”, “Spb”, “spb”, “MSK”, “Msk”, and “msk”. If the machine name contains any of these, it won’t be compromised. According to BleepingComputer, that interviewed the researcher Vitali Kremez, this is likely to avoid damaging computers in Russia. Moreover, while encrypting files, the malware will create RyukReadMe.html cybercrime ransom note. It contains the phrase “balance of shadow universe” and email addresses that can be contacted for payment instructions.
The cyber security experts: the cybercrime threat actor probably is still GRIM SPIDER. The malicious hackers want to protect at all costs Russia from possible incidents. The new malware features confirms it
Cyber security experts believe that the cybercrime group behind the new variant of Ryuk is still GRIM SPIDER. This, because the malicious hackers who exploit the old versions of the malware are Russian. Furthermore, the ransomware is based on the North Korean Hermes (developed by STARDUST CHOLLIMA, part of Lazarus network), but it has been advertized on Russian-speaking forums. Then, some files were uploaded to a file-scanning website from an IP address in Moscow. Also some filenames are in Russian. Finally, there is the new trick to avoid encrypting computers in the country. The old versions of the malware had a feature that block the enconding in Russia, Ukraine and Belarus. If the developers/operators choose to put another one, it means that they want at all costs avoiding the risks od possible incidents, that involve the Federation.