Ryuk Ransomware Stops Encrypting Linux Folders:
A new version of the Ryuk Ransomware was released that will purposely avoid encrypting folders commonly seen in *NIX operating systems.
After the City of New Orleans was infected by ransomware, BleepingComputer confirmed that the city was infected by the Ryuk Ransomware using an executable named v2.exe.
After analyzing the v2.exe sample, security researcher Vitali Kremez shared with BleepingComputer an interesting change in the ransomware; it would no longer encrypt folders that are associated with *NIX operating systems.
The list of Ryuk blacklisted *NIX folders are:
- bin
- boot
- Boot
- dev
- etc
- lib
- initrd
- sbin
- sys
- vmlinuz
- run
- var
At first glance, it seems strange that a Windows malware would blacklist *NIX folders when encrypting files.
Even stranger, Kremez told us that he has been asked numerous times whether there was a Unix variant of Ryuk as data stored in these operating systems have been encrypted in Ryuk attacks.
A Linux/Unix variant of Ryuk does not exist, but Windows 10 does contain a feature called the Windows Subsystem for Linux (WSL) that allows you to install various Linux distributions directly in Windows. These installations utilize folders with the same blacklisted names as listed above.
With the rising popularity of WSL, the Ryuk actors likely encrypted a Windows machine at some point that also affected the *NIX system folders used by WSL. This would have caused these WSL installations to no longer work.
(Score: 5, Funny) by Bot on Tuesday December 31 2019, @12:39AM (4 children)
Software and hardware makers always plotting to keep Linux out of the action when it would be perfectly doable to be compatible with this ransomware.
Linux ain't ready for the desktop until we address this. The lack of ransomware causes confusion in Windows users. Heck, they already try to pay random spammers to regain control of what they put in /dev/null.
Account abandoned.
(Score: 2, Insightful) by Anonymous Coward on Tuesday December 31 2019, @01:41AM (3 children)
Linux has its own ransomware: systemd.
(Score: 3, Funny) by Anonymous Coward on Tuesday December 31 2019, @01:43AM (2 children)
True... it encrypted my /var/log into an unreadable binary file.
(Score: 3, Funny) by zion-fueled on Tuesday December 31 2019, @01:58AM (1 child)
Just wait till homed is released.
(Score: 2) by coolgopher on Tuesday December 31 2019, @09:55AM
After that it's only a matter of time until they ship the full boned...
(Score: 5, Insightful) by The Mighty Buzzard on Tuesday December 31 2019, @02:17AM (3 children)
Do note the lack of protection for the "home" folder, the "opt" folder, the "srv" folder, and other common places important data but not critical system bits might be stored. The idea with ransomware is to encrypt data the owner wants access to but have a system functioning enough to let them know how to regain access to their shit. This is not excluding Linux or even WSL, it's doing exactly what it's supposed to do.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday December 31 2019, @04:26AM
Exactly this. Beware of the incoming articles on how ransomware ignores %ProgramFiles%, %ProgramFiles(x86)%, %SystemRoot%, and %windir%.
(Score: 2) by darkfeline on Tuesday December 31 2019, @11:15AM (1 child)
Jokes on them, real men keep their porn under /usr/lib.
Join the SDF Public Access UNIX System today!
(Score: 2) by The Mighty Buzzard on Tuesday December 31 2019, @04:45PM
Well, I am a user and I do have a pretty big library. Makes perfect sense to me.
My rights don't end where your fear begins.
(Score: 2) by Mojibake Tengu on Tuesday December 31 2019, @03:21AM
Good. Now Windows morons could start putting their precious data in \\wsl$\Ubuntu\etc safely.
Rust programming language offends both my Intelligence and my Spirit.
(Score: 2) by Nuke on Tuesday December 31 2019, @10:35AM (1 child)
Those directories are system ones only, so the user's data would still be encrypted. Presumably the system files are left intact otherwise the decryption software you are supposed to buy from the scammers could not run - or at least there should be the appearance of being able to decrypt.
I don't know if the system files are left unencrypted in the Windows version, but logically they should also be left unaffected. Unless the scammers assume that Windows users don't know what a system file is anyway, and you don't receive any decryption software even if you pay, so it doesn't matter.
(Score: 2) by maxwell demon on Tuesday December 31 2019, @05:02PM
Unless the system is operated by an old-timer who still insists to have the user home directories under /usr ;-)
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Tuesday December 31 2019, @01:26PM
My guess is that these knockouts are there to prevent it from happening during the next dev cycle. IOW, this probably has nothing to do with the target systems at all, but the development systems.