Cyble-Anti-War-Ransomware

Dissecting the Ransomless AntiWar Malware: Zero Demand for Ransom

The geopolitical crisis between Russia and Ukraine has fueled multiple cyberattacks across the world. While monitoring for the latest cyber incidents that are part of the ongoing cyber warfare, the Cyble Research Labs recently came across a ransomware sample allegedly targeting Russia. What’s interesting is that instead of demanding ransom, this ransomware sends out a message to stop the war.

Upon execution, the ransomware renames encrypted files with the “.putinwillburnunhell” extension. While typically ransomware drops a .txt file as a ransom note, in this case, we saw a .html file named “RUSSKIJ VOENNIJ KORABL IDI NAHUJ”, which when translated in English means “RUSSIAN WARSHIP GO F**K”.

Our Open Source Intelligence (OSINT) analysis shows that Poland is the source of the sample. The message in the HTML file indicates that the ransomware may be targeting Russia, as shown in Figure 1.  

Figure 1 – Message in a Dropped file (Translated from Russian) 

​Technical Analysis 

Cyble Research Labs performed an analysis of the sample with the hash value: 9f3c1668ee44bfcd1afd599215f5bd73c76609776b78cb04bb6ef1121cc80d37. Our research indicated that the malware is an x64 architecture Windows binary written in C/C++ and compiled on 2022-03-04 at 15:17:53.​

Figure 2 – File Information

​We observed that the malware first changes the priority of the process to zero by calling the SetProcessShutdownParameters() API so that the malware’s activities can be terminated only before the system shutdown. This is a way to increase the amount of time the malware gets to execute in the compromised machine.

Figure 3 – Malware Changes the Priority of the Process

The ransomware enumerates services in the compromised system and terminates those services that are actively running in the victim’s machine. Some of these services include VSS, SQL, Memtas, mepocs, etc.

To identify the services in the victim’s machine, it calls the OpenSCManagerA() API, which establishes a connection to the service control manager and gives the malware access to the service control manager database, as shown in Figure 4.

Figure 4 – Establishes a Connection to the Service Control Manager

The ransomware also enumerates the running processes and terminates processes that are actively running in the victim’s machine. The process names checked by the ransomware include oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, etc.

Figure 5 – Terminates Active Processes

The malware calls the SHEmptyRecycleBinA() API to empty the Recycle Bin as a step to ensure that deleted files cannot be restored after encryption.

Our research indicated that the ransomware tries to open a mutex named “Microsoft Corporation” in an infected machine. If the mutex name is not present, the malware creates the same mutex name and continues with its infection process.

Figure 6 – Checks and Creates Mutex if not Present

After creating the mutex, the malware then begins the encryption process by identifying the volumes in an infected machine.

Figure 7 – Starts Encryption

It also identifies the mounted local drives by enumerating them from A to Z, as shown in Figure 8.

Figure 8 – Enumerates Local Drives

This is followed by the malware encrypting the files present in all of the identified drives with the exception of CD-ROM, as shown in Figure 9.

Figure 9 – Encrypts the Files present in all the Identified Drives Except CD-ROM

Before initiating encryption, the ransomware checks and excludes specific folders from encryption, such as AppData, Boot, Windows, Windows.old, Tor Browser, Internet Explorer, Google, Opera, Opera Software, Mozilla, Mozilla Firefox, ProgramData, Program Files, and Program Files (x86).

It also excludes certain files from encryption, such as autorun.inf, boot.ini, bootfont.bin, bootsect.bak, bootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db, ntldr, and ntuser.dat.

Additionally, specific extensions are also exempted from encryption, including .putinwillburninhell, .hta, .exe, .dll, .cpl, .ini, .cab, .cur, .drv, .hlp, .icl, .icns, .ico, .idx, .sys, .spl, .ocx.

After encrypting the files on the victim’s machine, the malware appends them with the extension “.putinwillburninhell” and drops an HTML file with the name “RUSSKIJ VOENNIJ KORABL IDI NAHUJ” as shown in Figure 10.

Figure 10 – Encrypted Files on the Victim’s Machine

​Conclusion  

​With the geopolitical crisis causing a surge in cyberattacks across the world, ransomware has emerged as a serious threat worldwide. As a result of the ongoing cyber warfare, we have witnessed an uptick in the use of ransomware and data wiper malware targeting both nations in conflict. Threat Actors are also devising attack techniques of increasing sophistication.

With cybercrime on the rise, it is imperative for organizations to strengthen their security posture. Our researchers are continuously gathering more information on the latest cyberattacks, and we will keep updating this space as and when we have more information.

​Our Recommendations 

​We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

Safety measures needed to prevent ransomware attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

Users should take the following steps after the ransomware attack

  • Detach infected devices on the same network.
  • Disconnect external storage devices if connected.
  • Inspect system logs for suspicious events.

Impacts and cruciality Of Ransomware

  • Loss of valuable data
  • Loss of reputation
  • Loss of critical businesses information
  • Disruption in an organization’s operation
  • Financial loss

​MITRE ATT&CK® Techniques 

TacticTechnique IDTechnique Name
ExecutionT1059Command and Scripting Interpreter
Privilege EscalationT1548
T1134
Abuse Elevation Control Mechanism
Access Token Manipulation
Defense EvasionT1112
T1027
T1562.001
Modify Registry
Obfuscated Files or Information
Impair Defenses: Disable or Modify Tools
DiscoveryT1082
T1083
System Information Discovery
File and Directory Discovery
ImpactT1490
T1489
T1486
Inhibit System Recovery 
Service Stop
Data Encrypted for Impact

Indicators of Compromise (IoCs):   

​Indicators ​Indicator type ​Description 
9f3c1668ee44bfcd1afd599215f5bd73c76609776b78cb04bb6ef1121cc80d37​SHA-256 AntiWar Ransomware
7b74a50352bb16ba94201c8a9e35b3c1d8a9dc8cSHA-1AntiWar Ransomware
3b3a50b242841e1789a919b1291051f1MD5AntiWar Ransomware

 

​​ 

Scroll to Top