{
	"id": "fcf0bfaf-7da6-4d75-8438-9e3ea58c2731",
	"created_at": "2026-04-06T01:29:48.469201Z",
	"updated_at": "2026-04-10T13:12:15.485471Z",
	"deleted_at": null,
	"sha1_hash": "0b059b4d2b05f0bd93592e6cd546c7e77968a495",
	"title": "Ryuk Related Malware Steals Confidential Military, Financial Files",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2492744,
	"plain_text": "Ryuk Related Malware Steals Confidential Military, Financial Files\r\nBy Lawrence Abrams\r\nPublished: 2019-09-11 · Archived: 2026-04-06 00:16:54 UTC\r\nA new malware with strange associations to the Ryuk Ransomware has been discovered to look for and steal confidential\r\nfinancial, military, and law enforcement files.\r\nWhile Ryuk Ransomware encrypts a victim's files and then demands a ransom, it is not known for actually stealing files\r\nfrom an infected computer. A new infection discovered today by MalwareHunterTeam, does exactly that by searching for\r\nsensitive files and uploading them to a FTP site under the attacker's control.\r\nTo make this sample even more interesting, this data exfiltrating malware also contains some strange references to Ryuk\r\nwithin the code.\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/\r\nPage 1 of 10\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/\r\nPage 2 of 10\n\nVisit Advertiser websiteGO TO PAGE\r\nSearching for confidential files\r\nIn conversations with reverse engineer and security researcher Vitali Kremez, we get an idea of how the file stealer works.\r\nWhen executed, the stealer will perform a recursive scan of all the files on a computer and look for Word .docx and Excel\r\n.xlsx files to steal.\r\nWhen looking for files, if it encounters any folders or files that match certain strings, it will stop checking the file and move\r\nto the next one, similar to how ransomware would operate. \r\nA full list of the blacklisted files and folders are at the end of this article, including your standard ones such as \"Windows\",\r\n\"Intel\", \"Mozilla\", \"Public\", etc.\r\nIn addition, it also skips over any files that are associated with Ryuk such as \"RyukReadMe.txt\" and files with the \".RYK\"\r\nextension.\r\nBlacklisted Strings\r\nIf the file passes the blacklist, the stealer will then check if it is a .docx or .xlsx file as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/\r\nPage 3 of 10\n\nSearching for .docx and .xlsx files\r\nWhen a .docx or .xlsx file is located, the stealer will use libzip and the zip_open and zip_trace functions to verify if the file\r\nis a valid Word or Excel document.  It does this by checking and validating the presence of the word/document.xml (word)\r\nor xl/worksheets/sheet (excel) files in the Office document.\r\nVerifying Word Document\r\nIf it is a valid file, it will then compare the file's name against a list of  77 strings. All of the strings are listed at the end of\r\nthe document and include entries like \"marketwired\", \"10-Q\", \"fraud\", \"hack\", \"tank\", \"defence\", \"military\", \"checking\",\r\n\"classified\", \"secret\", \"clandestine\", undercover\", \"federal\", etc.\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/\r\nPage 4 of 10\n\nWord of interest\r\nAs you can see the actor is looking for confidential military secrets, banking information, fraud, criminal investigation\r\ndocuments, and other sensitive information.\r\nStrangely, it also looks for files that contain the first names \"Emma\", \"Liam\", \"Olivia\",\"Noah\", \"William\", \"Isabella\",\r\n\"James\", \"Sophia\", and \"Logan\". It is suspected that these names comes from the top baby names of 2018 as listed by the\r\nU.S. Social Security department.\r\nAny files that match a string are then uploaded via FTP to the 66.42.76.46/files_server/a8-5 server as seen in the code below.\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/\r\nPage 5 of 10\n\nStealing files by uploading to FTP Server\r\nAfter scanning the local machine, the malware will then get a list of IP addresses from the computer's ARP table. It then\r\nproceeds to search for files on any available shares.\r\nGetting ARP Table\r\nIt is not known how this malware is being installed, but it was theorized by BleepingComputer, Kremez, and\r\nMalwareHunterTeam, that this infection could be run prior to infecting a machine to harvest interesting files before they are\r\nencrypted.\r\nStrange ties to Ryuk Ransomware\r\nAs we already discussed, this stealer purposely skips files associated with the Ryuk Ransomware such as RyukReadMe.txt,\r\nUNIQUE_ID_DO_NOT_REMOVE, and any files that have the .RYK extension.  \r\nIn addition, there are code similarities that the stealer and Ryuk Ransomware share in common. For example, the stealer\r\ncontains a function that creates a new file and appends the .RYK extension as if it was encrypting the file. This function is\r\nnot utilized by the stealer.\r\nStealer contains Ryuk's create file method\r\nThe stealer also checks for the presence of a file named Ahnlab as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/\r\nPage 6 of 10\n\nStealer searching for Ahnlab\r\nKremez told BleepingComputer that Ryuk Ransomware also checks for the presence of this file as shown below. \r\nRyuk Ransomware searching for Ahnlab\r\nWhile there are definite ties between this stealer and Ryuk, it is not known if the actually from the same group or someone\r\ngained access to the code and utilized it in their own program.\r\n\"It might indicate someone with source access to Ryuk ransomware simply copy/pasted and modified code to make it a\r\nstealer or look like it,\" Kremez told BleepingComputer in a conversation about this malware.\r\nFurthermore, Ryuk runs without any dependencies when tested by BleepingComputer in the past, while this stealer appears\r\nto be a MingW executable that requires numerous DLLs to be present in order to properly execute.\r\nThis could indicate that the stealer is being installed manually or dropped as a package with all of the necessary components.\r\nAs more samples become available, we will hopefully see its install process in the future.\r\nUpdate 9/11/19: Added info about the names in the match list.\r\nIOCs\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/\r\nPage 7 of 10\n\nHashes:\r\nc64269a64b64b20108df89c4f1a415936c9d9923f8761d0667aa8492aa057acb\r\ne6762cb7d09cd90d5469e3c3bfc3b47979cd67aa06c06e893015a87b0348c32c\r\nNetwork communication:\r\nFTP: 66.42.76.46/files_server/a8-5\r\nBlacklisted files and folders:\r\nSample\r\nlog\r\n.dll\r\nSample\r\n$Recycle.Bin\r\nTor\r\nPackage\r\nRyukReadMe.txt\r\nmicrosoft\r\nUNIQUE_ID_DO_NOT_REMOVE\r\nPUBLIC\r\nWindows\r\nIntel\r\nPerfLogs\r\nwindows\r\nFirefox\r\nMozilla\r\nMicrosoft\r\n$WINDOWS\r\nProgram\r\n\\\\Users\\\\Public\\\\Pictures\r\nMySQL\r\nTargeted file name strings:\r\nSECURITYN-CSR10-SBEDGAR\r\nmarketwired10-Q10Q8KfraudhackNSAFBI\r\nCSI\r\nsecret\r\nprivate\r\nconfident\r\nimportant\r\npass\r\nhidden\r\nundercover\r\nclandestine\r\ninvestigation\r\nfederal\r\nbureau\r\ngovernment\r\nsecurity\r\nunclassified\r\nconcealed\r\nnewswire\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/\r\nPage 8 of 10\n\nmarketwired\r\npersonal\r\nsecurityN-CSR10-SBEDGAR spy radaragentnewswire\r\nmarketwired\r\n10-Q\r\nfraud\r\nhack\r\ndefence\r\nattack\r\nmilitary\r\ntank\r\nsecret\r\nbalance\r\nstatement\r\nchecking\r\nsaving\r\nrouting\r\nfinance\r\nagreement\r\nSWIFT\r\nIBAN\r\nlicense\r\nCompilation\r\nreport\r\nsecret\r\nconfident\r\nhidden\r\nclandestine\r\nillegal\r\ncompromate\r\nprivacy\r\nprivate\r\ncontract\r\nconcealed\r\nbackdoorundercover\r\nclandestine\r\ninvestigation\r\nfederal\r\nbureau\r\ngovernment\r\nsecurity\r\nunclassified\r\nseed\r\npersonal\r\nconfident\r\nmail\r\nletter\r\npassport\r\nscans\r\nEmma\r\nLiam\r\nOlivia\r\nNoah\r\nWilliam\r\nIsabella\r\nJames\r\nSophia\r\nLogan\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/\r\nPage 9 of 10\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/"
	],
	"report_names": [
		"ryuk-related-malware-steals-confidential-military-financial-files"
	],
	"threat_actors": [],
	"ts_created_at": 1775438988,
	"ts_updated_at": 1775826735,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0b059b4d2b05f0bd93592e6cd546c7e77968a495.pdf",
		"text": "https://archive.orkl.eu/0b059b4d2b05f0bd93592e6cd546c7e77968a495.txt",
		"img": "https://archive.orkl.eu/0b059b4d2b05f0bd93592e6cd546c7e77968a495.jpg"
	}
}