Friday, 27 December 2019

Ryuk Ransomware spares Windows Linux installs

A new variant of the Ryuk ransomware now blacklists Linux folders used on Windows 10, so as to avoid encrypting them.

The change avoids affecting the folders for the Windows Subsystem for Linux (WSL), which allows Linux to be installed as a virtual machine on Windows 10.

However, the change isn't about trying to show kindness to Linux installs, but instead is a purely practical measure - if the ransomware encrypts WSL folders it effectively destroys the Linux virtual machine, meaning there's no point in paying the attacker for decryption.

Decrypting WSL

There is currently no known variant of Ryuk that specifically targets Linux computers, instead being focused on Windows machines. However, Windows 10 does allow Linux to be directly installed as a virtual machine using the WSL feature.

The feature was introduced by Microsoft in 2016 in order to improve compatibility between Windows and Linux machines. WSL was released in May 2019 and uses a number of Hyper-V features.

One benefit to Microsoft in adding WSL would be to help Windows users who also need a Linux environment to use features in their Azure cloud computing service

However, when folders powering WSL are encrypted by ransomware the Linux install is effectively destroyed along with its data. This works against the ransomware attacker's interests, as even with payment for decryption will not recover the data.

Specific folders now blacklisted against encryption by the Ryuk ransomware include:

  • bin
  • boot
  • Boot
  • dev
  • etc
  • lib
  • initrd
  • sbin
  • sys
  • vmlinuz
  • run
  • var

The move shows the degree of sophistication and fine-tuning for ransomware, helping to make it a more effective and lucrative business model.

Individuals and businesses are reminded that the best antivirus often comes with ransomware protection.

Via BleepingComputer.

https://ift.tt/39j5iPW

No comments:

Post a Comment