{
	"id": "2d3ce288-24cb-4153-8e3d-48b52b7d8170",
	"created_at": "2026-04-06T00:14:55.743355Z",
	"updated_at": "2026-04-10T03:21:15.059868Z",
	"deleted_at": null,
	"sha1_hash": "05a9c13e20e79c38a3f181e3147d92d4cf5ce95a",
	"title": "RURansom Malware: New Wiper Attack On Russia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1363421,
	"plain_text": "RURansom Malware: New Wiper Attack On Russia\r\nPublished: 2022-03-11 · Archived: 2026-04-05 17:27:38 UTC\r\nDuring our regular OSINT research, Cyble Research Labs came across a twitter post by the MalwareHunter team,\r\nhighlighting a ransomware named RURansom which was found attacking Russia. This malware is called RURansom\r\nas the file’s Program Database (PDB) contains a sub string “RURansom”, as shown below:\r\nC:\\Users\\Admin1\\source\\repos\\RURansom\\RURansom\\obj\\Debug\\RURansom.pdb\r\nThe ongoing cyber warfare between Russia and Ukraine has witnessed a series of different Wiper Malware attacks\r\nincluding WhisperGate, HermeticWiper, and IsaacWiper malware. Adding to this existing list of destructive malware,\r\nresearchers have now found the RURansom wiper malware.\r\nWorld's Best AI-Native Threat Intelligence\r\nThe RURansom malware operates by wiping the files present in the victim’s computer and spreads like a worm within\r\nthe network or through connected USB devices. Finally, the malware drops ransom notes in the Victim’s machine as\r\nshown in Figure 1.\r\nFigure 1 Ransom Note written in Russian \r\nTechnical Analysis\r\nIn this blog, we will conduct a deep-dive technical analysis of the RURansom Malware used in the attack. We have\r\nanalysed the sample SHA256-107da216ad99b7c0171745fe7f826e51b27b1812d435b55c3ddb801e23137d8, which\r\nhttps://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/\r\nPage 1 of 8\n\nis a 32-bit PE file written in the .NET programming language.\r\nFigure 2: File Info of RURansom Malware \r\nGeolocation Identification\r\nThe RURansom malware traces the IP location of the victim machine and is executed only if it detects an IP\r\nbelonging to Russia. For IP identification, the malware uses two APIs named https://api.ipify.org that are hardcoded\r\nwithin its code.\r\nFigure 3: IP Geo Location Identification \r\nhttps://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/\r\nPage 2 of 8\n\nPrivilege Escalation\r\nAfter identifying the geolocation of the machine, the malware further checks for the Administrator rights in the\r\ninfected machine, as shown in Figure 4 and 5.\r\nFigure 4: Administrator Check Used in the Malware \r\nFigure 5: IsElevated Function \r\nIf the malware does not get Admin privileges, it tries to execute itself in the elevated mode using the following\r\nPowerShell command.\r\ncmd.exe /c powershell stART-PRoceSS Assembly.GetExecutingAssembly().Location  -veRB rUnAS\r\nFigure 6: Code to get Elevated Privilege \r\nDiscovery of connected Drives\r\nThe RURansom wiper malware proceeds to scan the drives in the victim’s system, including the removable and\r\nnetwork drives connected to the victim’s machine.\r\nhttps://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/\r\nPage 3 of 8\n\nFigure 7: Searching for Drives \r\nEncryption and Deletion\r\nAfter scanning the drives, the malware encrypts all the files from the identified directories and sub-directories in the\r\nvictim’s machine. To prevent the recovery of the encrypted data from the backup files, the malware also deletes the\r\n.bak files from the infected machines.\r\nFigure 8: File Encryption \u0026 Deletion \r\nEncryption Algorithm\r\nOur research indicated that the malware uses the AES-CBC encryption algorithm to encrypt files in the victim’s\r\nmachine.\r\nhttps://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/\r\nPage 4 of 8\n\nFigure 9: AES Encryption \r\nRansom Note\r\nFinally, the RURansom malware drops a ransom note file named Полномасштабное_кибервторжение.txt (Full-blown_cyber-invasion.txt). The note is written in Russian and dropped in all the directories where the files are\r\nencrypted. The ransom note and file name are shown in the figure below.\r\nFigure 10: Ransom Note in Russian \r\nThe image below showcases the English translation of the ransom note dropped by RURansom malware.\r\nFigure 11: Ransom Note Translation in English \r\nEncryption Key\r\nAs per our research, we have observed that the files are encrypted using a randomly generated AES key. The key is\r\ncalculated using the hard-coded strings such as FullScaleCyberInvasion, RU_Ransom, and 2022 along with Victim’s\r\nMachine Name and UserName. Figure 12 shows the code that generates random AES key.\r\nhttps://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/\r\nPage 5 of 8\n\nFigure 12: AES Key Generation \r\nSpreading Mechanism\r\nThe malware renames itself as Россия-Украина_Война-Обновление.doc.exe (Russia-Ukraine_War-Update.doc.exe)\r\nand spreads to all connected systems.\r\nFigure 13: Code for Spreading \r\nFigure 14: Ransom Note and the Copy of Malware used for Spreading \r\nSimilarities with dnWiper\r\nAfter a deep-dive analysis of the Tactics, techniques and procedures (TTPs) identified in the RURansom wiper\r\nmalware, we have observed that it has several similarities with dnWiper. Researchers at TrendMicro also believe that\r\nthe same Threat Actors are behind the two wiper malware, as stated in their report.\r\nThe major difference between the RURansom \u0026 dnWiper malware is that the latter targets only specific extensions\r\nsuch as .doc, .docx, .png, .gif, .jpeg, .jpg, .mp4, etc., while RuRansom encrypts all file extensions.\r\nhttps://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/\r\nPage 6 of 8\n\nFigure 15: dnWiper Sample Code \r\nConclusion \r\nThe files encrypted by the RURansom wiper malware are irreversible. Based on the ransom note and the technical\r\nspecifications of the malware, we suspect that it has been devised to target Russia, but the identity of the Threat\r\nActors behind this malware is still unknown.\r\nGiven the continued conflict and geopolitical tensions between Russia and Ukraine, we expect an increase in cyber\r\nwarfare with both nations targeting each other.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the suggestions given below:\r\nDon’t keep important files at common locations such as the Desktop, My Documents, etc.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices\r\nwherever possible and pragmatic.\r\nUse a reputed anti-virus and Internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.\r\nRefrain from opening untrusted links and email attachments without verifying their authenticity.\r\nConduct regular backup practices and keep those backups offline or in a separate network.\r\nMITRE ATT\u0026CK® Techniques \r\nTactic Technique ID  \r\nExecution T1204 User Execution\r\nDiscovery T1518 Security Software Discovery\r\n  T1087 Account Discovery\r\n  T1083 File and Directory Discovery\r\nImpact T1485 Data Destruction\r\n  T1486 Data Encrypted for Impact\r\n  T1565 Data Manipulation\r\nIndicators Of Compromise (IoCs)\r\nIndicators\r\nIndicator\r\ntype\r\nDescription\r\nhttps://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/\r\nPage 7 of 8\n\n6cb4e946c2271d28a4dee167f274bb80 MD5 RURansom.exe\r\n0bea48fcf825a50f6bf05976ecbb66ac1c3daa6b SHA1\r\n979f9d1e019d9172af73428a1b3cbdff8aec8fdbe0f67cba48971a36f5001da9 SHA256\r\nfe43de9ab92ac5f6f7016ba105c1cb4e MD5 RURansom.exe\r\n27a16e1367fd3e943a56d564add967ad4da879d8 SHA1\r\n8f2ea18ed82085574888a03547a020b7009e05ae0ecbf4e9e0b8fe8502059aae SHA256\r\n9c3316a9ff084ed4d0d072df5935f52d MD5 RURansom.exe\r\nc6ef59aa3f0cd1bb727e2464bb728ab79342ad32 SHA1\r\n696b6b9f43e53387f7cef14c5da9b6c02b6bf4095849885d36479f8996e7e473 SHA256\r\n191e51cd0ca14edb8f06c32dcba242f0 MD5 dnWIPE.exe\r\nfbeb9eb14a68943551b0bf95f20de207d2c761f6 SHA1\r\n610ec163e7b34abd5587616db8dac7e34b1aef68d0260510854d6b3912fb0008 SHA256\r\n01ae141dd0fb97e69e6ea7d6bf22ab32 MD5 RURansom.exe\r\nc35ab665f631c483e6ec315fda0c01ba4558c8f2 SHA1\r\n1f36898228197ee30c7b0ec0e48e804caa6edec33e3a91eeaf7aa2c5bbb9c6e0 SHA256\r\n8fe6f25fc7e8c0caab2fdca8b9a3be89 MD5 RURansom.exe\r\na30bf5d046b6255fa2c4b029abbcf734824a7f15 SHA1\r\n107da216ad99b7c0171745fe7f826e51b27b1812d435b55c3ddb801e23137d8f SHA256\r\nSource: https://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/\r\nhttps://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/"
	],
	"report_names": [
		"new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434495,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/05a9c13e20e79c38a3f181e3147d92d4cf5ce95a.pdf",
		"text": "https://archive.orkl.eu/05a9c13e20e79c38a3f181e3147d92d4cf5ce95a.txt",
		"img": "https://archive.orkl.eu/05a9c13e20e79c38a3f181e3147d92d4cf5ce95a.jpg"
	}
}