The geopolitical crisis between Russia and Ukraine has fueled multiple cyberattacks across the world. While monitoring for the latest cyber incidents that are part of the ongoing cyber warfare, the Cyble Research Labs recently came across a ransomware sample allegedly targeting Russia. What’s interesting is that instead of demanding ransom, this ransomware sends out a message to stop the war.
Upon execution, the ransomware renames encrypted files with the “.putinwillburnunhell” extension. While typically ransomware drops a .txt file as a ransom note, in this case, we saw a .html file named “RUSSKIJ VOENNIJ KORABL IDI NAHUJ”, which when translated in English means “RUSSIAN WARSHIP GO F**K”.
Our Open Source Intelligence (OSINT) analysis shows that Poland is the source of the sample. The message in the HTML file indicates that the ransomware may be targeting Russia, as shown in Figure 1.
Technical Analysis
Cyble Research Labs performed an analysis of the sample with the hash value: 9f3c1668ee44bfcd1afd599215f5bd73c76609776b78cb04bb6ef1121cc80d37. Our research indicated that the malware is an x64 architecture Windows binary written in C/C++ and compiled on 2022-03-04 at 15:17:53.
We observed that the malware first changes the priority of the process to zero by calling the SetProcessShutdownParameters() API so that the malware’s activities can be terminated only before the system shutdown. This is a way to increase the amount of time the malware gets to execute in the compromised machine.
The ransomware enumerates services in the compromised system and terminates those services that are actively running in the victim’s machine. Some of these services include VSS, SQL, Memtas, mepocs, etc.
To identify the services in the victim’s machine, it calls the OpenSCManagerA() API, which establishes a connection to the service control manager and gives the malware access to the service control manager database, as shown in Figure 4.
The ransomware also enumerates the running processes and terminates processes that are actively running in the victim’s machine. The process names checked by the ransomware include oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, etc.
The malware calls the SHEmptyRecycleBinA() API to empty the Recycle Bin as a step to ensure that deleted files cannot be restored after encryption.
Our research indicated that the ransomware tries to open a mutex named “Microsoft Corporation” in an infected machine. If the mutex name is not present, the malware creates the same mutex name and continues with its infection process.
After creating the mutex, the malware then begins the encryption process by identifying the volumes in an infected machine.
It also identifies the mounted local drives by enumerating them from A to Z, as shown in Figure 8.
This is followed by the malware encrypting the files present in all of the identified drives with the exception of CD-ROM, as shown in Figure 9.
Before initiating encryption, the ransomware checks and excludes specific folders from encryption, such as AppData, Boot, Windows, Windows.old, Tor Browser, Internet Explorer, Google, Opera, Opera Software, Mozilla, Mozilla Firefox, ProgramData, Program Files, and Program Files (x86).
It also excludes certain files from encryption, such as autorun.inf, boot.ini, bootfont.bin, bootsect.bak, bootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db, ntldr, and ntuser.dat.
Additionally, specific extensions are also exempted from encryption, including .putinwillburninhell, .hta, .exe, .dll, .cpl, .ini, .cab, .cur, .drv, .hlp, .icl, .icns, .ico, .idx, .sys, .spl, .ocx.
After encrypting the files on the victim’s machine, the malware appends them with the extension “.putinwillburninhell” and drops an HTML file with the name “RUSSKIJ VOENNIJ KORABL IDI NAHUJ” as shown in Figure 10.
Conclusion
With the geopolitical crisis causing a surge in cyberattacks across the world, ransomware has emerged as a serious threat worldwide. As a result of the ongoing cyber warfare, we have witnessed an uptick in the use of ransomware and data wiper malware targeting both nations in conflict. Threat Actors are also devising attack techniques of increasing sophistication.
With cybercrime on the rise, it is imperative for organizations to strengthen their security posture. Our researchers are continuously gathering more information on the latest cyberattacks, and we will keep updating this space as and when we have more information.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety measures needed to prevent ransomware attacks
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users should take the following steps after the ransomware attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impacts and cruciality Of Ransomware
- Loss of valuable data
- Loss of reputation
- Loss of critical businesses information
- Disruption in an organization’s operation
- Financial loss
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1059 | Command and Scripting Interpreter |
| Privilege Escalation | T1548 T1134 | Abuse Elevation Control Mechanism Access Token Manipulation |
| Defense Evasion | T1112 T1027 T1562.001 | Modify Registry Obfuscated Files or Information Impair Defenses: Disable or Modify Tools |
| Discovery | T1082 T1083 | System Information Discovery File and Directory Discovery |
| Impact | T1490 T1489 T1486 | Inhibit System Recovery Service Stop Data Encrypted for Impact |
Indicators of Compromise (IoCs):
| Indicators | Indicator type | Description |
| 9f3c1668ee44bfcd1afd599215f5bd73c76609776b78cb04bb6ef1121cc80d37 | SHA-256 | AntiWar Ransomware |
| 7b74a50352bb16ba94201c8a9e35b3c1d8a9dc8c | SHA-1 | AntiWar Ransomware |
| 3b3a50b242841e1789a919b1291051f1 | MD5 | AntiWar Ransomware |
