Bitcoin-Seeking Ransomware Ryuk Virus Found and Studied in China

Tencent Yujian Threat Intelligence Center says that a Ryuk ransomware virus has been spotted in China.

The intelligence center released information on the outbreak in a report on July 16.

According to the report, Ryuk viruses are a family of malware aimed at infecting government and enterprise machines holding valuable data. According to the report, a Ryuk virus derives from the Hermes virus, with code that is directly modified off of the latter.

As noted in the report, Ryuk is the name of a death spirit in the popular manga Death Note. As per its title, Ryuk possesses a notebook that can be used to kill a person by writing their name on one of its pages.

Researchers at the intelligence center were reportedly able to capture and study the virus in action. According to the report, this virus came attached with a ReadMe note containing two email addresses. Upon replying to the first email address, the researchers received instructions and a ransom demand set at 11 Bitcoin.

The intelligence center advised personal users to run Tencent PC Manager and enable file backups, turn off Office macros, and to stay away from unfamiliar emails.

The report also referenced a number of Ryuk ransom cases. In the United States, for instance, the public administration of La Porte County, Indiana paid a $130,000 ransom to get rid of the virus. In Lake City, Florida, the local government paid a $460,000 ransom after Ryuk infected the city’s computer systems. 

As previously reported by Cointelegraph, research in January suggested that Ryuk originated in Russia. The virus was originally thought to have come out of North Korea, but McAfee Labs and Crowdstrike have suggested that Russia is the more likely source. According to these cybersecurity companies, Ryuk may in fact have come from the Russia-based group GRIM SPIDER.