silversurfer

Level 51
Verified
Trusted
Content Creator
Malware Hunter
A new malware with strange associations to the Ryuk Ransomware has been discovered to look for and steal confidential financial, military, and law enforcement files.
While Ryuk Ransomware encrypts a victim's files and then demands a ransom, it is not known for actually stealing files from an infected computer. A new infection discovered today by MalwareHunterTeam, does exactly that by searching for sensitive files and uploading them to a FTP site under the attacker's control.
To make this sample even more interesting, this data exfiltrating malware also contains some strange references to Ryuk within the code.

Searching for confidential files
In conversations with reverse engineer and security researcher Vitali Kremez, we get an idea of how the file stealer works. When executed, the stealer will perform a recursive scan of all the files on a computer and look for Word .docx and Excel .xlsx files to steal.
When looking for files, if it encounters any folders or files that match certain strings, it will stop checking the file and move to the next one, similar to how ransomware would operate.
Read more below: