# New Ryuk Info Stealer Targets Government and Military Secrets **[bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/](https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) January 24, 2020 02:12 PM 0 A new version of the Ryuk Stealer malware has been enhanced to allow it to steal a greater amount of confidential files related to the military, government, financial statements, banking, and other sensitive data. [In September 2019, we reported on a new malware that included references to the](https://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/) Ryuk Ransomware and was used to steal files if the file's name matched certain keywords. It is not known if this tool is created by the Ryuk Ransomware actors to be used for data exfiltration before encrypting a victim's computer or if another actor simply borrowed from the ransomware's code. "It is likely the same actor with the access to the earlier Ryuk version who repurposed the [code portion for this stealer," Head of SentinelLabs Vitali Kremez told BleepingComputer.](https://twitter.com/VK_Intel) What we do know is that the malware is targeting very specific keywords that could be disastrous for governments, military operations, and law enforcement cases if the stolen files are exposed. ## New features added to the Ryuk Stealer ----- [A new variant of the Ryuk Stealer malware was discovered today by MalwareHunterTeam](https://twitter.com/malwrhunterteam/status/1220700744984211458?s=20) that adds a new file content scanning feature and additional keywords that it targets for theft. In the previous version, the Ryuk Stealer would scan a computer's files for Word (docx) and Excel (xlsx) documents. According to Kremez, this new version of the stealer will look for an additional seven file types related to C++ source code, further Word and Excel document types, PDFs, JPG image files, and cryptocurrency wallets. **Targeted Extension** The full list of targeted extensions are: ``` .cpp .h .xls .xlsx .doc .docx .pdf wallet.dat .jpg ``` If a file matches one of the above extensions, the stealer will check the contents of the file and see if they contain one of the 85 keywords listed below. ``` 'personal', 'securityN-CSR10-SBEDGAR', 'spy', 'radar', 'agent', 'newswire', 'marketwired', '10-Q', 'fraud', 'hack', 'defence', 'treason', 'censored', 'bribery', 'contraband', 'operation', 'attack', 'military', 'tank', 'convict', 'scheme', 'tactical', 'Engeneering', 'explosive', 'drug', 'traitor', 'suspect', 'cyber', 'document', 'embeddedspy', 'radio', 'submarine', 'restricted', 'secret', 'balance', 'statement', 'checking', 'saving', 'routing', 'finance', 'agreement', 'SWIFT', 'IBAN', 'license', 'Compilation', 'report', 'secret', 'confident', 'hidden', 'clandestine', 'illegal', 'compromate', 'privacy', 'private', 'contract', 'concealed', 'backdoorundercover', 'clandestine', 'investigation', 'federal', 'bureau', 'government', 'security', 'unclassified', seed', 'personal', 'confident', 'mail', 'letter', 'passport', 'victim', 'court', 'NATO', 'Nato', 'scans', 'Emma', 'Liam', 'Olivia', 'Noah', 'William', 'Isabella', 'James', 'Sophia', 'Logan', 'Clearance' ``` ----- In addition, the stealer will check if the filename contains any of the following 55 keywords: ``` 'SECURITY', 'N-CSR', '10-SB', 'EDGAR', ' spy ', 'radar', 'censored', 'agent', 'newswire', 'marketwired', '10-Q', 'fraud', 'hack', 'NATO', 'Nato', 'convictMilitary', 'military', 'submarine', 'Submarinesecret', 'Secret', 'scheme', 'tactical', 'Engeneering', 'explosive', 'drug', 'traitor', 'embeddedspy', 'radio', 'suspect', 'cyber', 'document', 'treasonrestricted', 'private', 'confident', 'important', 'pass', 'victim', 'court', 'hidden', 'bribery', 'contraband', 'operation', 'undercover', 'clandestine', 'investigation', 'federal', 'bureau', 'government', 'security', 'unclassified', 'concealed', 'newswire', 'marketwired', 'Clearance' ``` When a matching document is found, the malware will upload it to an FTP site that is under the attacker's control. The two embedded FTP sites currently being used by the malware are down. ## Targeting highly sensitive documents As you can see, the targeted keywords are related to sensitive subjects for a variety of data categories such as: **Banking: 'SWIFT', 'IBAN', 'balance', 'statement', 'checking', 'saving', 'routing'** **Finance: 'N-CSR', '10-SB', 'EDGAR', 'newswire', 'marketwired', '10-Q'** **Law Enforcement: 'clandestine', 'investigation', 'federal', 'bureau', 'government',** 'security', 'victim', 'court' **Military: 'NATO', 'operation', 'attack', 'spy', 'radar', 'tactical', 'tank', 'submarine'** **Personal: 'personal', 'passport', 'Emma', 'Liam, 'Olivia, 'Noah', 'William', 'Isabella',** 'James', 'Sophia', 'Logan' The names in the Personal category are taken from the United States Social Security [Department's list of top baby names.](https://www.ssa.gov/oact/babynames/top5names.html) Some of the new search words that were added since the latest version include 'treason', 'NATO', 'convict', 'traitor', 'embeddedspy', 'cyber', 'submarine', 'Submarinesecret', 'contraband', 'radio', 'suspect', 'operation', and 'bribery.' Based on the targeted keywords in this malware, it looks like the attackers are looking for confidential information to sell to foreign adversaries, corporations, or to be used as blackmail. At this time, we do not know how this malware is being distributed and if its bundled with ransomware attacks or used independently. [With data exfiltration becoming more common and increasingly being used by ransomware,](https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/) it is important to make sure you have good security measures in place to protect your network from compromise. ----- This includes being careful of phishing emails with malicious attachments, do not make Remote Desktop Services publicly accessible, make sure all software and operating systems are updated, and make sure to use security software and good password policies. ### Related Articles: [New Industrial Spy stolen data market promoted through cracks, adware](https://www.bleepingcomputer.com/news/security/new-industrial-spy-stolen-data-market-promoted-through-cracks-adware/) [New ChromeLoader malware surge threatens browsers worldwide](https://www.bleepingcomputer.com/news/security/new-chromeloader-malware-surge-threatens-browsers-worldwide/) [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [New ERMAC 2.0 Android malware steals accounts, wallets from 467 apps](https://www.bleepingcomputer.com/news/security/new-ermac-20-android-malware-steals-accounts-wallets-from-467-apps/) [Popular Python and PHP libraries hijacked to steal AWS keys](https://www.bleepingcomputer.com/news/security/popular-python-and-php-libraries-hijacked-to-steal-aws-keys/) [Data Exfiltration](https://www.bleepingcomputer.com/tag/data-exfiltration/) [Malware](https://www.bleepingcomputer.com/tag/malware/) [Ryuk](https://www.bleepingcomputer.com/tag/ryuk/) [Ryuk Stealer](https://www.bleepingcomputer.com/tag/ryuk-stealer/) [Steal](https://www.bleepingcomputer.com/tag/steal/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/security/dos-exploit-poc-released-for-critical-windows-rdp-gateway-bugs/) [Next Article](https://www.bleepingcomputer.com/news/security/citrix-releases-final-patch-as-ransomware-attacks-ramp-up/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----