FBI Alerts of New Ryuk Ransomware Variant

The Ryuk Ransomware has been hitting US organizations rigorously in recent months. The FBI released a Flash alert alerting that more than 100 U.S companies have been hit since August 2018. The attackers behind the attacks are targeting logistics, technology, and small organizations.

Since last year, Ryuk has been restlessly targeting and encrypting hundreds of data centers and computers around the globe. Hitting news outlets like the New York Times and the Wall Street Journal. The ransomware has also hit organizations providing cloud services, like Dataresolution.net.

Further, Ryuk has been continuously changing and updating itself. The FBI released a statement saying a new form of Ryuk was discovered. This variant is unique in that it does not tell the victims how much the ransom demand is. Additionally, when this variant first infects victims, it provides a email address and uses only email for communications. Only once the victim, emails the attacker it the ransom demand and the Bitcoin wallet, and a sample of decrypted files. The decrypted files are to reassure the victim that the files have not been deleted and do exist.

According to the Flash, it is impossible to identify the infection vector because once Ryuk gets into the system it deletes all files regarding the intrusion. Therefore, the FBI is looking for organizations who get hit with Ryuk to provide them with more information on the following:

  • “Recovered executable file
  • Copies of the “read me” file—DO NOT REMOVE the file or decryption may not be possible
  • Live memory (RAM) capture
  • Images of infected systems
  • Malware samples
  • Log files
  • E-mail addresses of the attackers
  • A copy of the ransom note
  • Ransom amount and whether or not the ransom was paid
  • Bitcoin wallets used by the attackers
  • Bitcoin wallets used to pay the ransom (if applicable)
  • Names of any other malware identified on your system
  • Copies of any communications with attackers”

The FBI also encourages all organizations who get hit with the ransomware contact their local FBI field office to report the attack.  Moreover, it is crucial that ransom demands not be paid and that third-party tools claiming to decrypt Ryuk ransomware encrypted files are not real. There is currently a Ryuk Ransomware Decryptor available, which LIFARS has obtained. This decryptor can be used when organizations get hit with Ryuk Ransomware.

If your organization has been hit with Ryuk Ransomware, contact LIFARS immediately.