A new variant of the Ryuk Ransomware was discovered yesterday by MalwareHunterTeam, who saw that it was signed by a digital certificate. After this sample was examined by security researcher Vitali Kremez, it was discovered that a few changes were made to this variant that was not seen in previous samples.
Kremez found that with this new variant, the ransomware will check the output of arp -a for particular IP address strings, and if they are found, will not encrypt the computer.
Roy Rashti, Cybersecurity Expert at BitDam:
“This new variant allows the attacker to remove computers from their target bank. This means that they can selectively avoid those computers they don’t want to infect.
Certain hackers will strongly identify themselves with a particular group, whom they might not want to infect for ideological reasons. It’s also possible that hackers are afraid of being pursued or arrested by certain governments and want to avoid antagonising them or alerting them to their activities. In these circumstances, this new variant can be a very useful tool.
Organisations need to take several necessary precautions to defend against this iteration. Firstly, they need to deploy an effective solution that prevents the transmission of malicious attachments to user inboxes; the path most travelled by attackers attempting to deliver malware. Next, they must apply the necessary firewall settings to endpoints to prevent them from being infected via one of the recent RDPs or old SMB exploits. Finally, organisations need to keep all security patches updated.”