Latest Ryuk Ransomware Version Spares Linux Folders
On December 13, cybercriminals used a version of Ryuk Ransomware in the attack on the City of New Orleans. The attack resulted in a shut down of the city's servers, extensive quarantine efforts, and the Mayor declaring a state of emergency. The city of New Orleans was added to the list of more than one hundred federal, state and municipal governments and agencies to have fallen prey to ransomware attacks in the US in 2019. The Ryuk Ransomware, in particular, has been used in hundreds of attacks on private and government entities with varying success.
The version of Ryuk Ransomware that infected the networks of the City of New Orleans seems to be relatively new. Security researcher Vitali Kremez discovered a new characteristic of this iteration of the ransomware – it deliberately doesn't encrypt *nix system-related folders.
Here is a list of the folders not included in the blacklist for previous versions:
- bin
- boot
- Boot
- dev
- etc
- initrd
- lib
- run
- sbin
- sys
- vmlinuz
- var
Ryuk Ransomware doesn't have a dedicated version for Linux systems. The reason for the inclusion of the *nix folders in the blacklist is likely to avoid interfering with Linux distributions installed on Windows 10. Windows 10's Windows Subsystem for Linux makes it possible to run Linux distributions in a Windows environment.
Ultimately, the goal of this change is likely to be an increase in payout outcomes. Previous versions encrypting *nix folders could have rendered certain systems unusable thus hindering, if not preventing, the victim from paying the ransom. It would also translate into less work for the criminals in case they need to decrypt a victim's data.
The City of New Orleans never disclosed any ransom demands. They also stated that data loss from the cyberattack was "very minimal" and no ransom had been paid. There have been no updates on investigations into the incident. Information about how much the recovery process cost is also unavailable at this time. Whether the cybercriminals view this attack as a success or a failure, it is unlikely to be the last we hear about the Ryuk Ransomware. Criminals have used it in a large number of attacks in the relatively short period since Ryuk's first appearance back in August of 2018. With Ryuk and other ransomware threats growing ever more popular and evolving along with attackers are using them to target specific organizations and agencies, the importance of developing and maintaining solid cybersecurity solutions and contingencies can't be overstated.