Security researchers have come across a new variant of the Ryuk ransomware that is designed to avoid encrypting folders commonly seen in *NIX operating systems. This variant has been used in the resent ransomware attack against the City of New Orleans that has crippled the city’s networks. The attack forced the shutdown of the servers and computers, including the systems at the New Orleans Police Department, although the emergency services were not affected. The city website also went offline. Later it was confirmed that the malware leveraged in the attack was the Ryuk ransomware.
During the analysis of the infected systems researchers have found an executable named v2.exe., which exhibited a strange behavior. According to malware researcher Vitali Kremez who dissected this new sample, the ransomware doesn’t encrypt folders that are associated with *NIX operating systems, namely, bin, boot, Boot, dev, etc, lib, initrd, sbin, sys, vmlinuz, run, and var.
The researchers pointed out that it seems bizzare that a Windows malware would blacklist *NIX folders when encrypting files. Kremez told BleepingComputer that while currently there is no Linux/Unix variant of Ryuk, Windows 10 has a feature called the Windows Subsystem for Linux (WSL) that allows installing various Linux distributions directly in Windows. These installations utilize folders with the same blacklisted names as mentioned above.
The likely explanation is that the attackers avoid encrypting the *NIX system folders used by WSL so as not to impact the functionality of the WSL installations. This change makes sense seeing as the main goal of most ransomware is to encrypt data on a victim’s machine without affecting the underlying operating system.