# Ryuk Ransomware Stops Encrypting Linux Folders **[bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/](https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) December 26, 2019 12:15 PM 0 A new version of the Ryuk Ransomware was released that will purposely avoid encrypting folders commonly seen in *NIX operating systems. After the City of New Orleans was infected by ransomware, BleepingComputer confirmed that the city was infected by the Ryuk Ransomware using an executable named v2.exe. [After analyzing the v2.exe sample, security researcher Vitali Kremez shared with](https://www.virustotal.com/gui/file/1b424c3edf0b2e241050345432731cd804b1e273fc3c470d660c66393891cccc/detection) [BleepingComputer an interesting change in the ransomware; it would no longer encrypt](https://twitter.com/VK_Intel/status/1208577165652049920?s=20) folders that are associated with *NIX operating systems. ----- **Blacklist *NIX Folders** The list of Ryuk blacklisted *NIX folders are: ``` bin boot Boot dev etc lib initrd sbin sys vmlinuz run var ``` At first glance, it seems strange that a Windows malware would blacklist *NIX folders when encrypting files. Even stranger, Kremez told us that he has been asked numerous times whether there was a Unix variant of Ryuk as data stored in these operating systems have been encrypted in Ryuk attacks. A Linux/Unix variant of Ryuk does not exist, but Windows 10 does contain a feature called the Windows Subsystem for Linux (WSL) that allows you to install various Linux distributions directly in Windows. These installations utilize folders with the same blacklisted names as listed above. With the rising popularity of WSL, the Ryuk actors likely encrypted a Windows machine at some point that also affected the *NIX system folders used by WSL. This would have caused these WSL installations to no longer work. ----- They definitely have cases affecting WSL environments, which likely led them to blacklist NIX folders as they similarly do with the Windows ones. It is new to me and might explain why Ryuk and how Ryuk affects NIX machines via WSL," Kremez told BleepingComputer. As the goal of most successful ransomware is to encrypt a victim's data, but not affect the functionality of the operating system, this change makes sense With these folders being blacklisted, Ryuk eliminates an additional headache that they would need to deal with for a paying customer whose WSL installations are ruined. ## Related Articles: [Microsoft adds support for WSL2 distros on Windows Server 2022](https://www.bleepingcomputer.com/news/microsoft/microsoft-adds-support-for-wsl2-distros-on-windows-server-2022/) [Fake Windows 10 updates infect you with Magniber ransomware](https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infect-you-with-magniber-ransomware/) [Windows 11 KB5014019 breaks Trend Micro ransomware protection](https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/) [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [New ‘Cheers’ Linux ransomware targets VMware ESXi servers](https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-targets-vmware-esxi-servers/) [Blacklist](https://www.bleepingcomputer.com/tag/blacklist/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Ryuk](https://www.bleepingcomputer.com/tag/ryuk/) [Unix](https://www.bleepingcomputer.com/tag/unix/) [Windows 10](https://www.bleepingcomputer.com/tag/windows-10/) [Windows Subsystem for Linux](https://www.bleepingcomputer.com/tag/windows-subsystem-for-linux/) [WSL](https://www.bleepingcomputer.com/tag/wsl/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/security/new-magellan-20-sqlite-vulnerabilities-affect-many-programs/) [Next Article](https://www.bleepingcomputer.com/news/software/mozilla-adds-additional-dns-over-https-provider-to-firefox/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ## You may also like: -----