An ransomware virus called Ryuk is distributed in China and requires users of infected devices to pay a large amount in BTC.
Tencent Security examined the Ryuk virus and found that it encrypts data on the infected device and requires a ransom from the BTC. The buyback is usually quite large compared to similar attacks in the past and has recently risen to 11 BTC.
The virus blocks victim systems using a modern hacker program, mainly through bot networks. It was first discovered in North America and uses RSA and AES algorithms to encrypt victims’ files. It seems that the campaign is focused, and its victims are government agencies and private organizations.
Ryuk came from the Hermes family of codes, and the earliest signs of its activity can be traced back to August 2018. It uses most of the Hermes code, has the same whitelist filtering mechanism as the Hermes virus, and also uses the Hermes string sequences even for a unique file infection marker.
The sample found in China releases and launches various modules that will help the virus unfold and further improve its efficiency. In recent attacks, a dropper was used, containing both 32-bit and 64-bit modules of the virus.
When Ryuk starts, it checks whether it has been executed with a specific argument, and then interrupts more than 40 processes and more than 180 services related to antivirus, databases, software for backing up and editing documents.
According to the researchers, almost all of the Ryuk virus samples detected had a unique BTC address. Shortly after the victim pays the ransom, the attackers split the bitcoins and transfer them to several accounts.
The extortionist also remains on infected devices and tries to encrypt network resources in addition to local drives. It also destroys its encryption key, shadow copies and various backup files from disk to prevent users from restoring files.
Recently, New York College Monroe was attacked by an extortionist virus – hackers demanded a ransom of 170 BTC. In addition, at the end of last month, the authorities of the American city of Lake City paid the extortionists a ransom of 42 BTC after the attack of the encryption virus.