During our regular OSINT research, Cyble Research Labs came across a twitter post by the MalwareHunter team, highlighting a ransomware named RURansom which was found attacking Russia. This malware is called RURansom as the file’s Program Database (PDB) contains a sub string “RURansom”, as shown below:
C:\Users\Admin1\source\repos\RURansom\RURansom\obj\Debug\RURansom.pdb
The ongoing cyber warfare between Russia and Ukraine has witnessed a series of different Wiper Malware attacks including WhisperGate, HermeticWiper, and IsaacWiper malware. Adding to this existing list of destructive malware, researchers have now found the RURansom wiper malware.
The RURansom malware operates by wiping the files present in the victim’s computer and spreads like a worm within the network or through connected USB devices. Finally, the malware drops ransom notes in the Victim’s machine as shown in Figure 1.
Technical Analysis
In this blog, we will conduct a deep-dive technical analysis of the RURansom Malware used in the attack. We have analysed the sample SHA256-107da216ad99b7c0171745fe7f826e51b27b1812d435b55c3ddb801e23137d8, which is a 32-bit PE file written in the .NET programming language.
Geolocation Identification
The RURansom malware traces the IP location of the victim machine and is executed only if it detects an IP belonging to Russia. For IP identification, the malware uses two APIs named https://api.ipify.org that are hardcoded within its code.
Privilege Escalation
After identifying the geolocation of the machine, the malware further checks for the Administrator rights in the infected machine, as shown in Figure 4 and 5.
If the malware does not get Admin privileges, it tries to execute itself in the elevated mode using the following PowerShell command.
- cmd.exe /c powershell stART-PRoceSS Assembly.GetExecutingAssembly().Location -veRB rUnAS
Discovery of connected Drives
The RURansom wiper malware proceeds to scan the drives in the victim’s system, including the removable and network drives connected to the victim’s machine.
Encryption and Deletion
After scanning the drives, the malware encrypts all the files from the identified directories and sub-directories in the victim’s machine. To prevent the recovery of the encrypted data from the backup files, the malware also deletes the .bak files from the infected machines.
Encryption Algorithm
Our research indicated that the malware uses the AES-CBC encryption algorithm to encrypt files in the victim’s machine.
Ransom Note
Finally, the RURansom malware drops a ransom note file named Полномасштабное_кибервторжение.txt (Full-blown_cyber-invasion.txt). The note is written in Russian and dropped in all the directories where the files are encrypted. The ransom note and file name are shown in the figure below.
The image below showcases the English translation of the ransom note dropped by RURansom malware.
Encryption Key
As per our research, we have observed that the files are encrypted using a randomly generated AES key. The key is calculated using the hard-coded strings such as FullScaleCyberInvasion, RU_Ransom, and 2022 along with Victim’s Machine Name and UserName. Figure 12 shows the code that generates random AES key.
Spreading Mechanism
The malware renames itself as Россия-Украина_Война-Обновление.doc.exe (Russia-Ukraine_War-Update.doc.exe) and spreads to all connected systems.
Similarities with dnWiper
After a deep-dive analysis of the Tactics, techniques and procedures (TTPs) identified in the RURansom wiper malware, we have observed that it has several similarities with dnWiper. Researchers at TrendMicro also believe that the same Threat Actors are behind the two wiper malware, as stated in their report.
The major difference between the RURansom & dnWiper malware is that the latter targets only specific extensions such as .doc, .docx, .png, .gif, .jpeg, .jpg, .mp4, etc., while RuRansom encrypts all file extensions.
Conclusion
The files encrypted by the RURansom wiper malware are irreversible. Based on the ransom note and the technical specifications of the malware, we suspect that it has been devised to target Russia, but the identity of the Threat Actors behind this malware is still unknown.
Given the continued conflict and geopolitical tensions between Russia and Ukraine, we expect an increase in cyber warfare with both nations targeting each other.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:
- Don’t keep important files at common locations such as the Desktop, My Documents, etc.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Conduct regular backup practices and keep those backups offline or in a separate network.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | |
| Execution | T1204 | User Execution |
| Discovery | T1518 | Security Software Discovery |
| T1087 | Account Discovery | |
| T1083 | File and Directory Discovery | |
| Impact | T1485 | Data Destruction |
| T1486 | Data Encrypted for Impact | |
| T1565 | Data Manipulation |
Indicators Of Compromise (IoCs)
| Indicators | Indicator type | Description |
| 6cb4e946c2271d28a4dee167f274bb80 | MD5 | RURansom.exe |
| 0bea48fcf825a50f6bf05976ecbb66ac1c3daa6b | SHA1 | |
| 979f9d1e019d9172af73428a1b3cbdff8aec8fdbe0f67cba48971a36f5001da9 | SHA256 | |
| fe43de9ab92ac5f6f7016ba105c1cb4e | MD5 | RURansom.exe |
| 27a16e1367fd3e943a56d564add967ad4da879d8 | SHA1 | |
| 8f2ea18ed82085574888a03547a020b7009e05ae0ecbf4e9e0b8fe8502059aae | SHA256 | |
| 9c3316a9ff084ed4d0d072df5935f52d | MD5 | RURansom.exe |
| c6ef59aa3f0cd1bb727e2464bb728ab79342ad32 | SHA1 | |
| 696b6b9f43e53387f7cef14c5da9b6c02b6bf4095849885d36479f8996e7e473 | SHA256 | |
| 191e51cd0ca14edb8f06c32dcba242f0 | MD5 | dnWIPE.exe |
| fbeb9eb14a68943551b0bf95f20de207d2c761f6 | SHA1 | |
| 610ec163e7b34abd5587616db8dac7e34b1aef68d0260510854d6b3912fb0008 | SHA256 | |
| 01ae141dd0fb97e69e6ea7d6bf22ab32 | MD5 | RURansom.exe |
| c35ab665f631c483e6ec315fda0c01ba4558c8f2 | SHA1 | |
| 1f36898228197ee30c7b0ec0e48e804caa6edec33e3a91eeaf7aa2c5bbb9c6e0 | SHA256 | |
| 8fe6f25fc7e8c0caab2fdca8b9a3be89 | MD5 | RURansom.exe |
| a30bf5d046b6255fa2c4b029abbcf734824a7f15 | SHA1 | |
| 107da216ad99b7c0171745fe7f826e51b27b1812d435b55c3ddb801e23137d8f | SHA256 |
