Rewterz Threat Alert – Ryuk Ransomware Adds Additional Features of IP Address and Computer Name Blacklisting

Severity

High

Analysis Summary

A new variant of the Ryuk Ransomware has been discovered that adds IP address and computer blacklisting so that matching computers will not be encrypted. These features include IP address and computer blacklisting to prevent certain systems from being infected. The new version was also digitally signed, possibly in an attempt to evade detection prior to installation. The IP ranges and computer names in the malware’s blacklist (i.e. a list of hosts not to infect) are listed below. The article indicated this blacklist may have been added to prevent infecting Russian systems during worming attacks. If the victim’s system does not fall into one of the blacklist categories, the files are encrypted as usual and a .RYK extension is appended to the file name. RyukReadMe.html is created as the ransom note and contains the phrase “balance of shadow universe” and an email address to contact for payment instructions.

Impact

• Unauthorized system access
• Files encryption

Indicators of Compromise

IP(s) / Hostname(s)

• 10[.].30[.].4[.].0/255
• 10[.].30[.].5[.].0/255
• 10[.].30[.].6[.].0/255
• 10[.].31[.].32[.].0/255

Email Address

• neyhyretim@protonmail.com
• sorcinacin@protonmail.com

Malware Hash (MD5/SHA1/SH256)

• 0b1008d91459937c9d103a900d8e134461db27c602a6db5e082ab9139670ccb6

Remediation

• Block all threat indicators at your respective controls.
• Search for these IOCs in your environment.