{
	"id": "7eac2eca-4729-4f20-a830-33552ad0a2a0",
	"created_at": "2026-04-06T00:06:55.54986Z",
	"updated_at": "2026-04-10T03:22:07.44594Z",
	"deleted_at": null,
	"sha1_hash": "372bec100586a0b4e7d0201825b411d65f76c3b2",
	"title": "New RURansom Wiper Targets Russia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 252917,
	"plain_text": "New RURansom Wiper Targets Russia\r\nBy By: Jaromir Horejsi, Cedric Pernet Mar 08, 2022 Read time: 4 min (972 words)\r\nPublished: 2022-03-08 · Archived: 2026-04-05 12:51:32 UTC\r\nA conflict in cyberspace is unfolding parallel to the conflict between Russia and Ukraine on the ground. Cyberattacks\r\nare being lobbed against both Russian and Ukrainian sides, with a new wiper directed against Russia joining the fray.\r\nOn March 1, a tweetopen on a new tab from MalwareHunterTeam about a possible ransomware variant caught our\r\nattention and set our immediate analysis into motion. We found several additional samples of this malware, which has\r\nbeen dubbed as “RURansom” by its developer. Despite its name, analysis has revealed it to be a wiper and not a\r\nransomware variant because of its irreversible destruction of encrypted files.\r\nTargeting Russia\r\nBased on our telemetry, we have not yet observed active targets for this malware family. One possible reason for this\r\nis that the wiper has only targeted a few entries in Russia so far.\r\nRURansom’s code, however, makes its author’s motives clear. Figure 1 shows the code variable responsible for the\r\nmalware’s ransom note.\r\nFigure 1. Code snippet of what will be written in the ransom note file\r\nThe note reads in English as follows:\r\nOn February 24, President Vladimir Putin declared war on Ukraine.\", \"To counter this, I, the creator of RU_Ransom,\r\ncreated this malware to harm Russia. You bought this for yourself, Mr. President.\", \"There is no way to decrypt your\r\nfiles. No payment, only damage. And yes, this is \\\"peacekeeping\\\" like Vladi Papa does, killing innocent civilians\",\r\n\"And yes, it was translated from Bangla into Russian using Google Translate... (This is a direct translation.)\r\nWe detected different versions of the malware between February 26 and March 2, 2022. Upon further analysis, we\r\nhave learned more details about its capabilities.\r\nRURansom: A new wiper\r\nThe malware is written in .NET programming language and spreads as a worm by copying itself under the file name\r\n\"Россия-Украина_Война-Обновление.doc.exe\" to all removable disks and mapped network shares. Translated into\r\nEnglish, the file name reads as “Russia-Ukraine_War-Update.doc.exe.”\r\nhttps://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html\r\nPage 1 of 3\n\nFigure 2. Code snippet showing RURansom’s spreading mechanism\r\nAfter successfully spreading, the malware then begins encryption. If the assigned disk letter is “C:\\,” for example, the\r\nfiles in the folder “C:\\\\Users\\\\\u003cUserName\u003e\" are encrypted. For other removable and mapped network drives, all files\r\nthat recursively branch from the root directory are encrypted.\r\nEncryption is applied to all file extensions except for “.bak” files, which are deleted. The files are encrypted with a\r\nrandomly generated key with length equal to base64 (\"FullScaleCyberInvasion + \" +  MachineName). \r\nFigure 3. Code showing the length of the randomly generated key for encryption, with an extra “+,”\r\nwhich is likely a typo\r\nThe encryption algorithm is AES-CBC using a hard-coded salt. The keys are unique for each encrypted file and are\r\nnot stored anywhere, making the encryption irreversible and marking the malware as a wiper rather than a\r\nransomware variant.\r\nThe “ransom” note, which is the file “Полномасштабное_кибервторжение.txt” (translated as “Full-blown_cyber-invasion.txt”), is then dropped into each directory. However, it is more accurate to say that this is a wiper note.\r\nAs seen in the code in Figure 1, the note states its developer’s sentiments and also reveals that the author used Google\r\nTranslate to convey their message in Russian from the original Bangla.\r\nStill in development\r\nWe have discovered several versions of RURansom. Some of these versions check if the IP address where the\r\nsoftware is launched is in Russia. In cases where the software is launched outside of Russia, these versions will stop\r\nexecution, showing a conscious effort to target only Russian-based computers. While most samples were\r\nunobfuscated, we found one version using ConfuserExopen on a new tab for obfuscation.\r\nFigure 4. Code snippet where the malware tests if it is being run from Russia\r\nOther versions also attempt to start the process with elevated privileges. These different versions and modifications\r\nmight indicate that the malware was still undergoing development at the time of writing.\r\nOther activities from the same author\r\nAside from RURansom, the developer appears to have been working on another “wiper” dubbed as “dnWipe.” Its\r\npayload is executed every Tuesday.\r\nhttps://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html\r\nPage 2 of 3\n\nWe analyzed dnWipe and found that it simply encodes content in base64 for the following file extensions: .doc,\r\n.docx, .png, .gif, .jpeg, .jpg, .mp4, .txt, .flv, .mp3, .ppt, .pptx, .xls, and .xlsx. Therefore, just as RURansom is not\r\nreally a ransomware variant, dnWipe also cannot be classified as an example of a wiper malware because its encoding\r\ncan be decoded easily.\r\nOther binaries that we can attribute with high confidence to the same developer indicate their other interests. For one,\r\nthey have also compiled a downloader for an XMRig binary, showing an inclination for cryptocurrency mining.\r\nConclusion\r\nNo one can be indifferent to the conflict between Ukraine and Russia. People all over the world are actively taking\r\nsides, and malware developers are no exception.\r\nAs this blog entry shows, the exchange of attacks in cyberspace is reflective of this conflict: Leaks have exposedopen\r\non a new tab Russian-based cybercriminal groups behind Conti and TrickBot, while a destructive wiperopen on a new\r\ntab has attacked organizations in Ukraine. Now, the RURansom wiper is seeking out Russian targets.\r\nWe see RURansom as just one attempt among a growing list of attacks that aim to support a position espoused\r\nstrongly by an individual or a group. While we have not yet found any victims of this malware, seeing the evolution\r\nin its code leads us believe that its developer will keep updating their malware in an effort to deal some form of\r\ndamage on Russia.\r\nIn general, the tense geopolitical situation has added an edge to cyberattacks. Ultimately, keeping defenses up,\r\nstaying vigilant against misinformation, and monitoring the situation is essential in order to navigate this uncertain\r\nstate of affairs.\r\nFor more guidance on managing today’s cyber risks, please see our earlier blog post here.\r\nIndicators of Compromise (IOCs)\r\nSHA256 Detection name\r\n107da216ad99b7c0171745fe7f826e51b27b1812d435b55c3ddb801e23137d8f Ransom.MSIL.RUCRYPT.YXCCD\r\n1f36898228197ee30c7b0ec0e48e804caa6edec33e3a91eeaf7aa2c5bbb9c6e0 Ransom.MSIL.RUCRYPT.YXCCD\r\n610ec163e7b34abd5587616db8dac7e34b1aef68d0260510854d6b3912fb0008 Ransom.MSIL.RUCRYPT.YXCCD\r\n696b6b9f43e53387f7cef14c5da9b6c02b6bf4095849885d36479f8996e7e473 Ransom.MSIL.RUCRYPT.YXCCD\r\n8f2ea18ed82085574888a03547a020b7009e05ae0ecbf4e9e0b8fe8502059aae Ransom.MSIL.RUCRYPT.YXCCD\r\n979f9d1e019d9172af73428a1b3cbdff8aec8fdbe0f67cba48971a36f5001da9 Ransom.MSIL.RUCRYPT.YXCCD\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html\r\nhttps://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html"
	],
	"report_names": [
		"new-ruransom-wiper-targets-russia.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434015,
	"ts_updated_at": 1775791327,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/372bec100586a0b4e7d0201825b411d65f76c3b2.pdf",
		"text": "https://archive.orkl.eu/372bec100586a0b4e7d0201825b411d65f76c3b2.txt",
		"img": "https://archive.orkl.eu/372bec100586a0b4e7d0201825b411d65f76c3b2.jpg"
	}
}