A new malware containing some similarities to Ryuk ransomware, but which acts as an information stealer targeting military, law and financial institutions has been uncovered by MalwareHunterTeam.
Once onboard a device the as-yet-unnamed malware begins its attack begins searching for .docx and .xlsx files, according to Bleeping Computer. In a fashion similar to how ransomware operates, this malware has a blacklist of terms that it checks against and if any are contained in file it is skipped, including some associated with Ryuk, such as RyukReadMe.txt or anything with a .ryk extension. There are also some shared code similarities.
The malware also checks against a list of 77 strings containing words primarily associated with its three targets. MalwareHunterTeam also found the malware searching for popular children’s names, but it is not known why this is done.
Any matching documents are uploade to the malware command and control server and then a quick search is done for IP addresses that could lead to shared devices that can also be attacked, Bleeping Computer wrote.
MalwareHunterTeam told Bleeping Computer it is not sure how this malware is injected into a computer, but a theory was proposed that these are a precursor to an actual ransomware attack when the malicious actors want to remove data before encrypting files.