New variant of Ryuk ransomware blacklists the IP addresses and computers to simplify its infection process

• The new Ryuk variant also compares the computer name to the strings ‘SPB’, ‘spb’, ‘MSK’, ‘Msk’ and ‘msk’ to simplify its infection process.
• Once the computer passes the checks, then the ransomware variant will encrypt the computer as usual and append the .RYK extension to encrypted files.

A new variant of Ryuk ransomware has been found blacklisting IP addresses to avoid encrypting the already affected computers.

What’s the matter?

The new sample of Ryuk ransomware was identified by MalwareHunterTeam, who informed Bleeping Computer that it comes signed with a digital certificate. Later this sample was examined by security researchers Vitali Kremez and it was discovered that there were some few modifications in the latest variant of Ryuk ransomware.

During the investigation, Kremez found that this new variant will check the output of ‘arp -a’ for particular IP address strings. If the IP address matches with the existing one, then the ransomware will not encrypt the computer.

The partial IP address strings that are searched by the ransomware are 10.30.4, 10.30.5, 10.30.6, and 10.31.32.

Blacklisting computers

Apart from IP address blacklisting, this new Ryuk variant also compares the computer name to the strings ‘SPB’, ‘spb’, ‘MSK’, ‘Msk’ and ‘msk’ to simplify its infection process. If the computer name contains any of these strings, then the variant will not encrypt the computer. It is believed that the ransomware variant is doing such checks in order to avoid encrypting computers in Russia.

‘MSK’ may stand for Moscow, ‘SPB’ could be St. Petersburg. The names have been identified to avoid infecting computers in these areas, Bleeping Computer reported.

How does the encryption process work?

Once the computer passes the checks, then the ransomware variant will encrypt the computer as usual and append the .RYK extension to encrypted files. After this, it drops a ransom note named ‘RyukReadMe.html’ that informs the victims about the payment process. The victims are asked to contact the attackers on sorcinacin@protonmail[.]com and neyhyretim@protonmail[.]com.