# Ryuk Related Malware Steals Confidential Military, Financial Files **[bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/](https://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/)** Lawrence Abrams By [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) September 11, 2019 03:44 PM 1 A new malware with strange associations to the Ryuk Ransomware has been discovered to look for and steal confidential financial, military, and law enforcement files. While Ryuk Ransomware encrypts a victim's files and then demands a ransom, it is not known for actually stealing files from an infected computer. A new infection discovered today by [MalwareHunterTeam, does exactly that by searching for sensitive files and](https://twitter.com/malwrhunterteam) uploading them to a FTP site under the attacker's control. To make this sample even more interesting, this data exfiltrating malware also contains some strange references to Ryuk within the code. ## Searching for confidential files [In conversations with reverse engineer and security researcher Vitali Kremez, we get an](https://twitter.com/VK_Intel/status/1171782155581689858) idea of how the file stealer works. When executed, the stealer will perform a recursive scan of all the files on a computer and look for Word .docx and Excel .xlsx files to steal. When looking for files, if it encounters any folders or files that match certain strings, it will stop checking the file and move to the next one, similar to how ransomware would operate. ----- A full list of the blacklisted files and folders are at the end of this article, including your standard ones such as "Windows", "Intel", "Mozilla", "Public", etc. In addition, it also skips over any files that are associated with Ryuk such as "RyukReadMe.txt" and files with the ".RYK" extension. **Blacklisted Strings** If the file passes the blacklist, the stealer will then check if it is a .docx or .xlsx file as shown below. ----- **Searching for .docx and .xlsx files** When a .docx or .xlsx file is located, the stealer will use libzip and the zip_open and zip_trace functions to verify if the file is a valid Word or Excel document. It does this by checking and validating the presence of the word/document.xml (word) or xl/worksheets/sheet (excel) files in the Office document. ----- **Verifying Word** **Document** If it is a valid file, it will then compare the file's name against a list of 77 strings. All of the strings are listed at the end of the document and include entries like "marketwired", "10-Q", "fraud", "hack", "tank", "defence", "military", "checking", "classified", "secret", "clandestine", undercover", "federal", etc. ----- **Word of** **interest** As you can see the actor is looking for confidential military secrets, banking information, fraud, criminal investigation documents, and other sensitive information. Strangely, it also looks for files that contain the first names "Emma", "Liam", "Olivia","Noah", ["William", "Isabella", "James", "Sophia", and "Logan". It is suspected that these names](https://twitter.com/OLRowley/status/1171812072319062016) comes from the [top baby names of 2018 as listed by the U.S. Social Security department.](https://www.ssa.gov/oact/babynames/) Any files that match a string are then uploaded via FTP to the 66.42.76.46/files_server/a8_5 server as seen in the code below._ ----- **Stealing files by uploading to FTP Server** After scanning the local machine, the malware will then get a list of IP addresses from the computer's ARP table. It then proceeds to search for files on any available shares. **Getting ARP Table** It is not known how this malware is being installed, but it was theorized by BleepingComputer, Kremez, and MalwareHunterTeam, that this infection could be run prior to infecting a machine to harvest interesting files before they are encrypted. ## Strange ties to Ryuk Ransomware ----- As we already discussed, this stealer purposely skips files associated with the Ryuk Ransomware such as RyukReadMe.txt, UNIQUE_ID_DO_NOT_REMOVE, and any files that have the .RYK extension. In addition, there are code similarities that the stealer and Ryuk Ransomware share in common. For example, the stealer contains a function that creates a new file and appends the .RYK extension as if it was encrypting the file. This function is not utilized by the stealer. **Stealer contains Ryuk's create file method** The stealer also checks for the presence of a file named Ahnlab as shown below. ----- **Stealer searching for Ahnlab** Kremez told BleepingComputer that Ryuk Ransomware also checks for the presence of this file as shown below. **Ryuk Ransomware searching for Ahnlab** While there are definite ties between this stealer and Ryuk, it is not known if the actually from the same group or someone gained access to the code and utilized it in their own program. ----- It might indicate someone with source access to Ryuk ransomware simply copy/pasted and modified code to make it a stealer or look like it," Kremez told BleepingComputer in a conversation about this malware. Furthermore, Ryuk runs without any dependencies when tested by BleepingComputer in the past, while this stealer appears to be a MingW executable that requires numerous DLLs to be present in order to properly execute. This could indicate that the stealer is being installed manually or dropped as a package with all of the necessary components. As more samples become available, we will hopefully see its install process in the future. **Update 9/11/19: Added info about the names in the match list.** ### Related Articles: [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [Quantum ransomware seen deployed in rapid network attacks](https://www.bleepingcomputer.com/news/security/quantum-ransomware-seen-deployed-in-rapid-network-attacks/) [New Industrial Spy stolen data market promoted through cracks, adware](https://www.bleepingcomputer.com/news/security/new-industrial-spy-stolen-data-market-promoted-through-cracks-adware/) [Snap-on discloses data breach claimed by Conti ransomware gang](https://www.bleepingcomputer.com/news/security/snap-on-discloses-data-breach-claimed-by-conti-ransomware-gang/) [Shutterfly discloses data breach after Conti ransomware attack](https://www.bleepingcomputer.com/news/security/shutterfly-discloses-data-breach-after-conti-ransomware-attack/) ## IOCs ### Hashes: ``` c64269a64b64b20108df89c4f1a415936c9d9923f8761d0667aa8492aa057acb e6762cb7d09cd90d5469e3c3bfc3b47979cd67aa06c06e893015a87b0348c32c Network communication: FTP: 66.42.76.46/files_server/a8-5 Blacklisted files and folders: ``` ----- ``` Sample log .dll Sample $Recycle.Bin Tor Package RyukReadMe.txt microsoft UNIQUE_ID_DO_NOT_REMOVE PUBLIC Windows Intel PerfLogs windows Firefox Mozilla Microsoft $WINDOWS Program \\Users\\Public\\Pictures MySQL ### Targeted file name strings: ``` ----- ``` SECURITYN CSR10 SBEDGAR marketwired10-Q10Q8KfraudhackNSAFBI CSI secret private confident important pass hidden undercover clandestine investigation federal bureau government security unclassified concealed newswire marketwired personal securityN-CSR10-SBEDGAR spy radaragentnewswire marketwired 10-Q fraud hack defence attack military tank secret balance statement checking saving routing finance agreement SWIFT IBAN license Compilation report secret confident hidden clandestine illegal compromate privacy private contract concealed backdoorundercover clandestine ``` ----- ``` investigation federal bureau government security unclassified seed personal confident mail letter passport scans Emma Liam Olivia Noah William Isabella James Sophia Logan ``` [Data Exfiltration](https://www.bleepingcomputer.com/tag/data-exfiltration/) [Ryuk](https://www.bleepingcomputer.com/tag/ryuk/) [Ryuk Stealer](https://www.bleepingcomputer.com/tag/ryuk-stealer/) [Steal](https://www.bleepingcomputer.com/tag/steal/) [Lawrence Abrams](https://www.bleepingcomputer.com/author/lawrence-abrams/) Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. [Previous Article](https://www.bleepingcomputer.com/news/technology/google-chrome-may-let-sites-block-your-screen-from-powering-down/) [Next Article](https://www.bleepingcomputer.com/news/microsoft/windows-10-build-18980-released-for-all-insiders-with-new-cortana-app/) ### Comments ----- [tko - 2 years ago](https://www.bleepingcomputer.com/forums/u/1153137/tko/) Thanks for sharing these details and screenshots. Curious to know, how do you set up a safe lab that you can use to test malware? Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----