# New Wiper Malware Attacking Russia: Deep-dive into RURansom Malware **[blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/](https://blog.cyble.com/2022/03/11/new-wiper-malware-attacking-russia-deep-dive-into-ruransom-malware/)** March 11, 2022 [During our regular OSINT research, Cyble Research Labs came across a twitter post by the MalwareHunter](https://twitter.com/malwrhunterteam/status/1498678603613155343) team, highlighting a ransomware named RURansom which was found attacking Russia. This malware is called RURansom as the file’s Program Database (PDB) contains a sub string “RURansom”, as shown below: **C:\Users\Admin1\source\repos\RURansom\RURansom\obj\Debug\RURansom.pdb** The ongoing cyber warfare between Russia and Ukraine has witnessed a series of different Wiper Malware [attacks including WhisperGate,](https://blog.cyble.com/2022/02/01/whispergate-malware-deep-dive-analysis/) [HermeticWiper, and IsaacWiper malware. Adding to this existing list of](https://blog.cyble.com/2022/03/04/ongoing-cyberwarfare-a-look-at-the-key-cyberattacks/) destructive malware, researchers have now found the RURansom wiper malware. The RURansom malware operates by wiping the files present in the victim’s computer and spreads like a worm within the network or through connected USB devices. Finally, the malware drops ransom notes in the Victim’s machine as shown in Figure 1. ----- _Figure 1 Ransom_ _Note written in Russian_ ## Technical Analysis In this blog, we will conduct a deep-dive technical analysis of the RURansom Malware used in the attack. We have analysed the sample SHA256**107da216ad99b7c0171745fe7f826e51b27b1812d435b55c3ddb801e23137d8, which is a 32-bit PE file** written in the .NET programming language. _Figure 2: File Info of_ _RURansom Malware_ ### Geolocation Identification The RURansom malware traces the IP location of the victim machine and is executed only if it detects an IP [belonging to Russia. For IP identification, the malware uses two APIs named https://api.ipify.org and](https://api.ipify.org/) [https://ip-api.com that are hardcoded within its code.](https://ip-api.com/) ----- _Figure 3: IP Geo_ _Location Identification_ ### Privilege Escalation After identifying the geolocation of the machine, the malware further checks for the Administrator rights in the infected machine, as shown in Figure 4 and 5. _Figure 4: Administrator Check Used in the_ _Malware_ _Figure 5:_ _IsElevated Function_ If the malware does not get Admin privileges, it tries to execute itself in the elevated mode using the following PowerShell command. _cmd.exe /c powershell stART-PRoceSS Assembly.GetExecutingAssembly().Location -veRB rUnAS_ _Figure 6: Code to_ _get Elevated Privilege_ ### Discovery of connected Drives ----- The RURansom wiper malware proceeds to scan the drives in the victim s system, including the removable and network drives connected to the victim’s machine. _Figure 7: Searching_ _for Drives_ ### Encryption and Deletion After scanning the drives, the malware encrypts all the files from the identified directories and sub-directories in the victim’s machine. To prevent the recovery of the encrypted data from the backup files, the malware also deletes the .bak files from the infected machines. _Figure 8: File_ _Encryption & Deletion_ ### Encryption Algorithm Our research indicated that the malware uses the AES-CBC encryption algorithm to encrypt files in the victim’s machine. ----- _Figure 9: AES_ _Encryption_ ### Ransom Note Finally, the RURansom malware drops a ransom note file named Полномасштабное_кибервторжение.txt (Full-blown_cyber-invasion.txt). The note is written in Russian and dropped in all the directories where the files are encrypted. The ransom note and file name are shown in the figure below. _Figure 10: Ransom_ _Note in Russian_ The image below showcases the English translation of the ransom note dropped by RURansom malware. _Figure 11: Ransom Note Translation in English_ ### Encryption Key As per our research, we have observed that the files are encrypted using a randomly generated AES key. The key is calculated using the hard-coded strings such as FullScaleCyberInvasion, RU_Ransom, and 2022 along with Victim’s Machine Name and UserName. Figure 12 shows the code that generates random AES key. ----- _Figure 12: AES Key_ _Generation_ ### Spreading Mechanism The malware renames itself as Россия-Украина_Война-Обновление.doc.exe (Russia-Ukraine_WarUpdate.doc.exe) and spreads to all connected systems. _Figure 13: Code for_ _Spreading_ _Figure_ _14: Ransom Note and the Copy of Malware used for Spreading_ ### Similarities with dnWiper After a deep-dive analysis of the Tactics, techniques and procedures (TTPs) identified in the RURansom wiper malware, we have observed that it has several similarities with dnWiper. Researchers at TrendMicro [also believe that the same Threat Actors are behind the two wiper malware, as stated in their report.](https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html) The major difference between the RURansom & dnWiper malware is that the latter targets only specific extensions such as .doc, .docx, .png, .gif, .jpeg, .jpg, .mp4, etc., while RuRansom encrypts all file extensions. _Figure 15: dnWiper_ _Sample Code_ ## Conclusion ----- The files encrypted by the RURansom wiper malware are irreversible. Based on the ransom note and the technical specifications of the malware, we suspect that it has been devised to target Russia, but the identity of the Threat Actors behind this malware is still unknown. Given the continued conflict and geopolitical tensions between Russia and Ukraine, we expect an increase in cyber warfare with both nations targeting each other. ## Our Recommendations We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below: Don’t keep important files at common locations such as the Desktop, My Documents, etc. Use strong passwords and enforce multi-factor authentication wherever possible. Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile. Refrain from opening untrusted links and email attachments without verifying their authenticity. Conduct regular backup practices and keep those backups offline or in a separate network. ## MITRE ATT&CK® Techniques Tactic Technique ID **Execution** [T1204](https://attack.mitre.org/techniques/T1204/) User Execution **Discovery** [T1518](https://attack.mitre.org/techniques/T1518) Security Software Discovery [T1087](https://attack.mitre.org/techniques/T1087) Account Discovery [T1083](https://attack.mitre.org/techniques/T1083) File and Directory Discovery **Impact** [T1485](https://attack.mitre.org/techniques/T1485) Data Destruction [T1486](https://attack.mitre.org/techniques/T1486) Data Encrypted for Impact [T1565](https://attack.mitre.org/techniques/T1565) Data Manipulation ## Indicators Of Compromise (IoCs) **Indicators** **Indicator** **type** **Description** 6cb4e946c2271d28a4dee167f274bb80 MD5 RURansom.exe 0bea48fcf825a50f6bf05976ecbb66ac1c3daa6b SHA1 979f9d1e019d9172af73428a1b3cbdff8aec8fdbe0f67cba48971a36f5001da9 SHA256 fe43de9ab92ac5f6f7016ba105c1cb4e MD5 RURansom.exe 27a16e1367fd3e943a56d564add967ad4da879d8 SHA1 ----- 8f2ea18ed82085574888a03547a020b7009e05ae0ecbf4e9e0b8fe8502059aae SHA256 9c3316a9ff084ed4d0d072df5935f52d MD5 RURansom.exe c6ef59aa3f0cd1bb727e2464bb728ab79342ad32 SHA1 696b6b9f43e53387f7cef14c5da9b6c02b6bf4095849885d36479f8996e7e473 SHA256 191e51cd0ca14edb8f06c32dcba242f0 MD5 dnWIPE.exe fbeb9eb14a68943551b0bf95f20de207d2c761f6 SHA1 610ec163e7b34abd5587616db8dac7e34b1aef68d0260510854d6b3912fb0008 SHA256 01ae141dd0fb97e69e6ea7d6bf22ab32 MD5 RURansom.exe c35ab665f631c483e6ec315fda0c01ba4558c8f2 SHA1 1f36898228197ee30c7b0ec0e48e804caa6edec33e3a91eeaf7aa2c5bbb9c6e0 SHA256 8fe6f25fc7e8c0caab2fdca8b9a3be89 MD5 RURansom.exe a30bf5d046b6255fa2c4b029abbcf734824a7f15 SHA1 107da216ad99b7c0171745fe7f826e51b27b1812d435b55c3ddb801e23137d8f SHA256 -----