A Virus-ransomware named Ryuk spread to China for bitcoin ransom. Tencent Security reported on July 17 that they monitored a Virus-ransomware named Ryuk encrypts data on an infected device and demands a ransom in bitcoin. The ransom is generally very high (recent ransom reached 11 Bitcoins, worth about 750,000 yuan).

The Virus-ransomware disabled the victim’s computer systems with sophisticated ransomware, mainly through botnets, spam. First found in North America, it uses RSA + AES to encrypt victims’ files. The campaign appears highly targeted, government and enterprise institutions with high data value are its preference.

Ryuk originated in the Hermes family, and the earliest signs of its activity can be traced back to August 2018. It makes use of most of the code of Hermes, has the same white list filtering mechanism as Hermes virus, and it also use Hermes strings even for the unique infection marker of files.

The Sample found in China first judges that the current system whether x86 or x64, releases and runs different blackmail modules, which will help the virus implement subsequent injection, and further improve the efficiency of virus operation. Virus’s dropper decrypt blackmail module with hard-coded string “4EQjBtPji”. As part of the recent attacks, a dropper containing both the 32-bit and 64-bit modules of the ransomware was used. When run, Ryuk checks if it was executed with a specific argument and then kills more than 40 processes and over 180 services belonging to antivirus, database, backup and document editing software.

The blackmail letter left by Ryuk is very simple, with only two blackmail contact mailbox and blackmail virus name. It is not long before answered by the attacker, the attacker wants 11 bitcoin.

Almost all of the observed Ryuk ransomware samples, the security researchers say, were provided with a unique wallet. Shortly after the victim paid the ransom, the attackers divided the funds and transmitted them through multiple accounts.

The ransomware also achieves persistence onto the infected machines and attempts to encrypt network resources in addition to local drives. It also destroys its encryption key and deletes shadow copies and various backup files from the disk, to prevent users from recovering files.

Earlier this month, Tencent Security reported another Trojan called Burimi has hacked over 33 million email accounts demanding for bitcoin ransom.