A new variant of the Ryuk ransomware now blacklists Linux folders used on Windows 10, so as to avoid encrypting them.
The change avoids affecting the folders for the Windows Subsystem for Linux (WSL), which allows Linux to be installed as a virtual machine on Windows 10.
However, the change isn't about trying to show kindness to Linux installs, but instead is a purely practical measure - if the ransomware encrypts WSL folders it effectively destroys the Linux virtual machine, meaning there's no point in paying the attacker for decryption.
- Ransomware remains a huge threat to business
- Best free anti-ransomware tools
- Ransomware tests local governments
Decrypting WSL
There is currently no known variant of Ryuk that specifically targets Linux computers, instead being focused on Windows machines. However, Windows 10 does allow Linux to be directly installed as a virtual machine using the WSL feature.
The feature was introduced by Microsoft in 2016 in order to improve compatibility between Windows and Linux machines. WSL was released in May 2019 and uses a number of Hyper-V features.
One benefit to Microsoft in adding WSL would be to help Windows users who also need a Linux environment to use features in their Azure cloud computing service.
However, when folders powering WSL are encrypted by ransomware the Linux install is effectively destroyed along with its data. This works against the ransomware attacker's interests, as even with payment for decryption will not recover the data.
Specific folders now blacklisted against encryption by the Ryuk ransomware include:
binbootBootdevetclibinitrdsbinsysvmlinuzrunvar
The move shows the degree of sophistication and fine-tuning for ransomware, helping to make it a more effective and lucrative business model.
Individuals and businesses are reminded that the best antivirus often comes with ransomware protection.
- Best Linux distros of 2020: for beginners and advanced users
Via BleepingComputer.
