{ "id": "5587c919-8b22-4a0a-8b6a-d2adcdb213f4", "created_at": "2026-04-06T00:20:07.791697Z", "updated_at": "2026-04-10T13:13:10.419988Z", "deleted_at": null, "sha1_hash": "bf5a919cb89548ae349ee3db8644e3c36b3a74de", "title": "Ryuk Ransomware Stops Encrypting Linux Folders", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 946905, "plain_text": "Ryuk Ransomware Stops Encrypting Linux Folders\r\nBy Lawrence Abrams\r\nPublished: 2019-12-26 · Archived: 2026-04-05 12:52:00 UTC\r\nA new version of the Ryuk Ransomware was released that will purposely avoid encrypting folders commonly seen in *NIX\r\noperating systems.\r\nAfter the City of New Orleans was infected by ransomware, BleepingComputer confirmed that the city was infected by the\r\nRyuk Ransomware using an executable named v2.exe.\r\nAfter analyzing the v2.exe sample, security researcher Vitali Kremez shared with BleepingComputer an interesting change\r\nin the ransomware; it would no longer encrypt folders that are associated with *NIX operating systems.\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nBlacklist *NIX Folders\r\nThe list of Ryuk blacklisted *NIX folders are:\r\nbin\r\nboot\r\nBoot\r\ndev\r\netc\r\nlib\r\ninitrd\r\nsbin\r\nsys\r\nvmlinuz\r\nrun\r\nvar\r\nAt first glance, it seems strange that a Windows malware would blacklist *NIX folders when encrypting files.\r\nEven stranger, Kremez told us that he has been asked numerous times whether there was a Unix variant of Ryuk as data\r\nstored in these operating systems have been encrypted in Ryuk attacks.\r\nA Linux/Unix variant of Ryuk does not exist, but Windows 10 does contain a feature called the Windows Subsystem for\r\nLinux (WSL) that allows you to install various Linux distributions directly in Windows. These installations utilize folders\r\nwith the same blacklisted names as listed above.\r\nWith the rising popularity of WSL, the Ryuk actors likely encrypted a Windows machine at some point that also affected the\r\n*NIX system folders used by WSL. This would have caused these WSL installations to no longer work.\r\n\"They definitely have cases affecting WSL environments, which likely led them to blacklist NIX folders as they similarly do\r\nwith the Windows ones. It is new to me and might explain why Ryuk and how Ryuk affects NIX machines via WSL,\"\r\nKremez told BleepingComputer.\r\nAs the goal of most successful ransomware is to encrypt a victim's data, but not affect the functionality of the operating\r\nsystem, this change makes sense\r\nWith these folders being blacklisted, Ryuk eliminates an additional headache that they would need to deal with for a paying\r\ncustomer whose WSL installations are ruined.\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/\r\nhttps://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/" ], "report_names": [ "ryuk-ransomware-stops-encrypting-linux-folders" ], "threat_actors": [], "ts_created_at": 1775434807, "ts_updated_at": 1775826790, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bf5a919cb89548ae349ee3db8644e3c36b3a74de.pdf", "text": "https://archive.orkl.eu/bf5a919cb89548ae349ee3db8644e3c36b3a74de.txt", "img": "https://archive.orkl.eu/bf5a919cb89548ae349ee3db8644e3c36b3a74de.jpg" } }