Ryuk Ransomware Stops Encrypting Linux Folders:
A new version of the Ryuk Ransomware was released that will purposely avoid encrypting folders commonly seen in *NIX operating systems.
After the City of New Orleans was infected by ransomware, BleepingComputer confirmed that the city was infected by the Ryuk Ransomware using an executable named v2.exe.
After analyzing the v2.exe sample, security researcher Vitali Kremez shared with BleepingComputer an interesting change in the ransomware; it would no longer encrypt folders that are associated with *NIX operating systems.
The list of Ryuk blacklisted *NIX folders are:
- bin
- boot
- Boot
- dev
- etc
- lib
- initrd
- sbin
- sys
- vmlinuz
- run
- var
At first glance, it seems strange that a Windows malware would blacklist *NIX folders when encrypting files.
Even stranger, Kremez told us that he has been asked numerous times whether there was a Unix variant of Ryuk as data stored in these operating systems have been encrypted in Ryuk attacks.
A Linux/Unix variant of Ryuk does not exist, but Windows 10 does contain a feature called the Windows Subsystem for Linux (WSL) that allows you to install various Linux distributions directly in Windows. These installations utilize folders with the same blacklisted names as listed above.
With the rising popularity of WSL, the Ryuk actors likely encrypted a Windows machine at some point that also affected the *NIX system folders used by WSL. This would have caused these WSL installations to no longer work.
(Score: 2) by Bot on Tuesday December 31, @12:39AM
Software and hardware makers always plotting to keep Linux out of the action when it would be perfectly doable to be compatible with this ransomware.
Linux ain't ready for the desktop until we address this. The lack of ransomware causes confusion in Windows users. Heck, they already try to pay random spammers to regain control of what they put in /dev/null.