This article was originally published by 8btc and written by Vincent He.
A ransomware virus named Ryuk has spread to China, asking the users of infected devices for a hefty bitcoin ransom.
Tencent Security reported on July 17, 2019, that it has monitored Ryuk and found that it encrypts data on an infected device and demands a ransom in bitcoin. The ransom is generally very high and has recently reached 11 BTC.
The virus disables victims’ systems with sophisticated ransomware, mainly through botnets. First found in North America, it uses RSA and AES encryption algorithms to encrypt victims’ files. The campaign appears highly targeted, with government and enterprise institutions as preferred victims.
Ryuk originated in the Hermes date code family, and the earliest signs of its activity can be traced back to August 2018. It makes use of most of the Hermes code, has the same white list filtering mechanism as a Hermes virus and it also uses Hermes strings, even for the unique infection marker of files.
The sample found in China releases and runs different blackmail modules, which will help the virus implement subsequent injection and further improve the efficiency of its operation. As part of the most recent attacks, a dropper containing both the 32-bit and 64-bit modules of the ransomware was used. When run, Ryuk checks if it was executed with a specific argument and then kills more than 40 processes and over 180 services belonging to antivirus, database, backup and document editing software.
Almost all of the observed Ryuk ransomware samples, the security researchers say, were provided with a unique wallet. Shortly after a recent victim paid the ransom, the attackers divided the funds and transmitted them through multiple accounts.
The ransomware also remains on the infected machines and attempts to encrypt network resources in addition to local drives. It also destroys its encryption key and deletes shadow copies and various backup files from the disk to prevent users from recovering files.Earlier this month, Tencent Security reported another Trojan virus called Burimi that has hacked over 33 million email accounts demanding a bitcoin ransom.