New Ryuk Info Stealer Targets Government and Military Secrets
By Lawrence Abrams
Published: 2020-01-24 · Archived: 2026-04-05 17:01:40 UTC
A new version of the Ryuk Stealer malware has been enhanced to allow it to steal a greater amount of confidential files
related to the military, government, financial statements, banking, and other sensitive data.
In September 2019, we reported on a new malware that included references to the Ryuk Ransomware and was used to steal
files if the file's name matched certain keywords.
It is not known if this tool is created by the Ryuk Ransomware actors to be used for data exfiltration before encrypting a
victim's computer or if another actor simply borrowed from the ransomware's code.
https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/
Page 1 of 5

0:00
https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/
Page 2 of 5

Visit Advertiser websiteGO TO PAGE
"It is likely the same actor with the access to the earlier Ryuk version who repurposed the code portion for this
stealer," Head of SentinelLabs Vitali Kremez told BleepingComputer.
What we do know is that the malware is targeting very specific keywords that could be disastrous for governments, military
operations, and law enforcement cases if the stolen files are exposed.
New features added to the Ryuk Stealer
A new variant of the Ryuk Stealer malware was discovered today by MalwareHunterTeam that adds a new file content
scanning feature and additional keywords that it targets for theft.
In the previous version, the Ryuk Stealer would scan a computer's files for Word (docx) and Excel (xlsx) documents.
According to Kremez, this new version of the stealer will look for an additional seven file types related to C++ source code,
further Word and Excel document types, PDFs, JPG image files, and cryptocurrency wallets.
Targeted Extension
The full list of targeted extensions are:
.cpp
.h
.xls
.xlsx
.doc
.docx
.pdf
wallet.dat
.jpg
If a file matches one of the above extensions, the stealer will check the contents of the file and see if they contain one of the
85 keywords listed below.
'personal', 'securityN-CSR10-SBEDGAR', 'spy', 'radar', 'agent', 'newswire', 'marketwired', '10-Q', 'fraud', 'hack', 'defe
In addition, the stealer will check if the filename contains any of the following 55 keywords:
'SECURITY', 'N-CSR', '10-SB', 'EDGAR', ' spy ', 'radar', 'censored', 'agent', 'newswire', 'marketwired', '10-Q', 'fraud',
When a matching document is found, the malware will upload it to an FTP site that is under the attacker's control. The two
embedded FTP sites currently being used by the malware are down.
Targeting highly sensitive documents
As you can see, the targeted keywords are related to sensitive subjects for a variety of data categories such as:
https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/
Page 3 of 5

Banking: 'SWIFT', 'IBAN', 'balance', 'statement', 'checking', 'saving', 'routing'
Finance: 'N-CSR', '10-SB', 'EDGAR', 'newswire', 'marketwired', '10-Q'
Law Enforcement: 'clandestine', 'investigation', 'federal', 'bureau', 'government', 'security', 'victim', 'court'
Military: 'NATO', 'operation', 'attack', 'spy', 'radar', 'tactical', 'tank', 'submarine'
Personal: 'personal', 'passport', 'Emma', 'Liam, 'Olivia, 'Noah', 'William', 'Isabella', 'James', 'Sophia', 'Logan'
The names in the Personal category are taken from the United States Social Security Department's list of top baby names.
Some of the new search words that were added since the latest version include 'treason', 'NATO', 'convict',
'traitor', 'embeddedspy', 'cyber', 'submarine', 'Submarinesecret', 'contraband', 'radio', 'suspect', 'operation', and 'bribery.'
Based on the targeted keywords in this malware, it looks like the attackers are looking for confidential information to sell to
foreign adversaries, corporations, or to be used as blackmail.
At this time, we do not know how this malware is being distributed and if its bundled with ransomware attacks or used
independently.
With data exfiltration becoming more common and increasingly being used by ransomware, it is important to make sure you
have good security measures in place to protect your network from compromise.
This includes being careful of phishing emails with malicious attachments, do not make Remote Desktop Services publicly
accessible, make sure all software and operating systems are updated, and make sure to use security software and good
password policies.
Automated Pentesting Covers Only 1 of 6 Surfaces.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the
other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic
questions for any tool evaluation.
https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/
Page 4 of 5

Source: https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/
https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/
Page 5 of 5