Cyble-Wiper-Malware-RURansomware-Russia-Ukraine-Conflict

New Wiper Malware Attacking Russia: Deep-dive into RURansom Malware 

During our regular OSINT research, Cyble Research Labs came across a twitter post by the MalwareHunter team, highlighting a ransomware named RURansom which was found attacking Russia. This malware is called RURansom as the file’s Program Database (PDB) contains a sub string “RURansom”, as shown below: 

C:\Users\Admin1\source\repos\RURansom\RURansom\obj\Debug\RURansom.pdb 

The ongoing cyber warfare between Russia and Ukraine has witnessed a series of different Wiper Malware attacks including WhisperGate, HermeticWiper, and IsaacWiper malware. Adding to this existing list of destructive malware, researchers have now found the RURansom wiper malware.   

The RURansom malware operates by wiping the files present in the victim’s computer and spreads like a worm within the network or through connected USB devices. Finally, the malware drops ransom notes in the Victim’s machine as shown in Figure 1. 

Figure 1 Ransom Note written in Russian 

Technical Analysis 

In this blog, we will conduct a deep-dive technical analysis of the RURansom Malware used in the attack. We have analysed the sample SHA256-107da216ad99b7c0171745fe7f826e51b27b1812d435b55c3ddb801e23137d8, which is a 32-bit PE file written in the .NET programming language. 

Figure 2: File Info of RURansom Malware 

Geolocation Identification 

The RURansom malware traces the IP location of the victim machine and is executed only if it detects an IP belonging to Russia. For IP identification, the malware uses two APIs named https://api.ipify.org and https://ip-api.com that are hardcoded within its code.  

Figure 3: IP Geo Location Identification 

Privilege Escalation 

After identifying the geolocation of the machine, the malware further checks for the Administrator rights in the infected machine, as shown in Figure 4 and 5. 

Figure 4: Administrator Check Used in the Malware 
Figure 5: IsElevated Function 

If the malware does not get Admin privileges, it tries to execute itself in the elevated mode using the following PowerShell command. 

  • cmd.exe /c powershell stART-PRoceSS Assembly.GetExecutingAssembly().Location  -veRB rUnAS 
Figure 6: Code to get Elevated Privilege 

Discovery of connected Drives 

The RURansom wiper malware proceeds to scan the drives in the victim’s system, including the removable and network drives connected to the victim’s machine. 

Figure 7: Searching for Drives 

Encryption and Deletion 

After scanning the drives, the malware encrypts all the files from the identified directories and sub-directories in the victim’s machine. To prevent the recovery of the encrypted data from the backup files, the malware also deletes the .bak files from the infected machines. 

Figure 8: File Encryption & Deletion 

Encryption Algorithm 

Our research indicated that the malware uses the AES-CBC encryption algorithm to encrypt files in the victim’s machine. 

Figure 9: AES Encryption 

Ransom Note 

Finally, the RURansom malware drops a ransom note file named Полномасштабное_кибервторжение.txt (Full-blown_cyber-invasion.txt). The note is written in Russian and dropped in all the directories where the files are encrypted. The ransom note and file name are shown in the figure below. 

Figure 10: Ransom Note in Russian 

The image below showcases the English translation of the ransom note dropped by RURansom malware.

Figure 11: Ransom Note Translation in English 

Encryption Key 

As per our research, we have observed that the files are encrypted using a randomly generated AES key. The key is calculated using the hard-coded strings such as FullScaleCyberInvasion, RU_Ransom, and 2022 along with Victim’s Machine Name and UserName. Figure 12 shows the code that generates random AES key. 

Figure 12: AES Key Generation 

Spreading Mechanism 

The malware renames itself as Россия-Украина_Война-Обновление.doc.exe (Russia-Ukraine_War-Update.doc.exe) and spreads to all connected systems. 

Figure 13: Code for Spreading 
Figure 14: Ransom Note and the Copy of Malware used for Spreading 

Similarities with dnWiper 

After a deep-dive analysis of the Tactics, techniques and procedures (TTPs) identified in the RURansom wiper malware, we have observed that it has several similarities with dnWiper. Researchers at TrendMicro also believe that the same Threat Actors are behind the two wiper malware, as stated in their report

The major difference between the RURansom & dnWiper malware is that the latter targets only specific extensions such as .doc, .docx, .png, .gif, .jpeg, .jpg, .mp4, etc., while RuRansom encrypts all file extensions. 

Figure 15: dnWiper Sample Code 

Conclusion   

The files encrypted by the RURansom wiper malware are irreversible. Based on the ransom note and the technical specifications of the malware, we suspect that it has been devised to target Russia, but the identity of the Threat Actors behind this malware is still unknown. 

Given the continued conflict and geopolitical tensions between Russia and Ukraine, we expect an increase in cyber warfare with both nations targeting each other. 

Our Recommendations  

​We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:  

  • ​Don’t keep important files at common locations such as the Desktop, My Documents, etc. 
  • Use strong passwords and enforce multi-factor authentication wherever possible.  
  • ​Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.   
  • ​Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.      
  • ​Refrain from opening untrusted links and email attachments without verifying their authenticity.  
  • ​Conduct regular backup practices and keep those backups offline or in a separate network.  

MITRE ATT&CK® Techniques  

Tactic Technique ID
Execution T1204  User Execution 
Discovery T1518  Security Software Discovery 
T1087 Account Discovery 
T1083 File and Directory Discovery 
Impact T1485 Data Destruction 
T1486 Data Encrypted for Impact 
T1565 Data Manipulation 

Indicators Of Compromise (IoCs) 

​Indicators ​Indicator type ​Description 
6cb4e946c2271d28a4dee167f274bb80 MD5 RURansom.exe 
0bea48fcf825a50f6bf05976ecbb66ac1c3daa6b SHA1 
979f9d1e019d9172af73428a1b3cbdff8aec8fdbe0f67cba48971a36f5001da9 SHA256 
fe43de9ab92ac5f6f7016ba105c1cb4e MD5 RURansom.exe 
27a16e1367fd3e943a56d564add967ad4da879d8 SHA1 
8f2ea18ed82085574888a03547a020b7009e05ae0ecbf4e9e0b8fe8502059aae SHA256 
9c3316a9ff084ed4d0d072df5935f52d MD5 RURansom.exe 
c6ef59aa3f0cd1bb727e2464bb728ab79342ad32 SHA1 
696b6b9f43e53387f7cef14c5da9b6c02b6bf4095849885d36479f8996e7e473 SHA256 
191e51cd0ca14edb8f06c32dcba242f0 MD5 dnWIPE.exe 
fbeb9eb14a68943551b0bf95f20de207d2c761f6 SHA1 
610ec163e7b34abd5587616db8dac7e34b1aef68d0260510854d6b3912fb0008 SHA256 
01ae141dd0fb97e69e6ea7d6bf22ab32 MD5  RURansom.exe 
c35ab665f631c483e6ec315fda0c01ba4558c8f2 SHA1 
1f36898228197ee30c7b0ec0e48e804caa6edec33e3a91eeaf7aa2c5bbb9c6e0 SHA256 
8fe6f25fc7e8c0caab2fdca8b9a3be89 MD5 RURansom.exe 
a30bf5d046b6255fa2c4b029abbcf734824a7f15 SHA1 
107da216ad99b7c0171745fe7f826e51b27b1812d435b55c3ddb801e23137d8f SHA256 
Scroll to Top