A new malware containing some similarities to Ryuk
ransomware, but which acts as an information stealer targeting military, law
and financial institutions has been uncovered by MalwareHunterTeam.
Once onboard a device the as-yet-unnamed malware begins its attack begins searching for .docx and .xlsx files, according to Bleeping Computer. In a fashion similar to how ransomware operates, this malware has a blacklist of terms that it checks against and if any are contained in file it is skipped, including some associated with Ryuk, such as RyukReadMe.txt or anything with a .ryk extension. There are also some shared code similarities.
The malware also checks against a list of 77 strings
containing words primarily associated with its three targets. MalwareHunterTeam
also found the malware searching for popular children’s names, but it is not
known why this is done.
Any matching documents are uploade to the malware command
and control server and then a quick search is done for IP addresses that could
lead to shared devices that can also be attacked, Bleeping Computer wrote.
MalwareHunterTeam told Bleeping Computer it is not sure how
this malware is injected into a computer, but a theory was proposed that these
are a precursor to an actual ransomware attack when the malicious actors want
to remove data before encrypting files.
Gloss