{
	"id": "fecaefcd-49e2-4964-a157-d8771264d1ba",
	"created_at": "2026-04-06T00:10:25.674204Z",
	"updated_at": "2026-04-10T03:21:56.342822Z",
	"deleted_at": null,
	"sha1_hash": "e94a5fdd924790e01a77f00cc7a5e970c620fd29",
	"title": "Understanding the RuRansom Malware – A Retaliatory Wiper",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 490673,
	"plain_text": "Understanding the RuRansom Malware – A Retaliatory Wiper\r\nBy Threat Analysis Unit\r\nPublished: 2022-04-12 · Archived: 2026-04-05 15:25:28 UTC\r\n This research was performed by Sudhir Devkar of the Threat Analysis Unit (TAU) \r\nSummary \r\nRuRansom is ransomware that is specifically targeting Russian systems. During ongoing cyber warfare between\r\nRussia and Ukraine, TAU has already seen different malware-attacks like WhisperGate, IsaacWiper, and\r\nHermeticWiper. RuRansom is a new addition to this destructive malware series. It is purposefully designed to\r\ndestroy the victim’s backup and data.  \r\nBehavioural Summary \r\nDue to the language and method by which the malware was created, there were indicators that detailed many\r\noriginal function and variable names. These values will be referenced in this write-up. \r\nUpon execution, the malware immediately calls a function named IsRussia(), checks the system’s public IP\r\naddress using a known IP address service, located at https://api[.]ipify[.]org . Later, it uses the IP address to\r\ndetermine the geographical location of machine, by using a known geolocation service, with the URL structure of\r\nhttps://ip-api[.]com/#\u003cpublic ip\u003e, as shown in Figure 1. \r\nIf the victim machine’s geolocation does not contain the word “Russia”, then the sample shows message box with\r\nmessage “Программу могут запускать только российские пользователи” (English translation “The program\r\ncan only be run by Russian users”) and terminates execution.  \r\nThe below image in Figure 1 shows this code, detailing that the malware is specifically targeted to systems\r\nassociated with Russia.  \r\nhttps://blogs.vmware.com/security/2022/04/ruransom-a-retaliatory-wiper.html\r\nPage 1 of 8\n\nFigure 1: GeoLoaction Check \r\nAs a next step, the malware checks for administrator privilege. If not running under administrator privilege it uses\r\nthe command line “cmd.exe /c powershell start-process \u003cexecuting assembly path\u003e -verb runas” to escalate its\r\nprivilege. This code is shown in Figure 2. \r\nFigure 2: Elevated Privilege check \r\nOnce these above checks are completed, the malware begins to collect drive information. \r\nIf a drive is removable, or a network drive, the malware spreads there by dropping a copy of itself with the\r\nfilename “Россия-Украина_Война-Обновление.doc.exe” (English translated: “Russia-Ukraine_War-Update.doc.exe”) \r\nAlso, the sample checks if the targeted drive is “C:”. If so, it targets encryption to just the “C:\\Users\\\u003ccurrent\r\nuser\u003e” folder, skipping all other folders. \r\nhttps://blogs.vmware.com/security/2022/04/ruransom-a-retaliatory-wiper.html\r\nPage 2 of 8\n\nFor any hard drives other than “C:”, the sample targets every folder and file for encryption. The code representing\r\nthese steps is highlighted in Figure 3. \r\nFigure 3: Get Drive Info \r\nIn the encryption routine, shown in Figure 4 below, the sample first checks the path passed as an argument for\r\nencryption. If path is not equal to %AppData% location, the malware enumerates a list of files and directory.\r\n%AppData% is a known Windows path for storing configuration data for the current user account’s installed\r\napplications. Further, the malware checks if a file has the extension “.bak”. If so, the file will be deleted to hinder\r\nrecovery. All other files are encrypted via the EncryptFile() function. The malware continues this recursively until\r\nall directories are enumerated and all files encrypted. \r\nFigure 4: Files and Directory enumeration \r\nhttps://blogs.vmware.com/security/2022/04/ruransom-a-retaliatory-wiper.html\r\nPage 3 of 8\n\nAs shown in Figure 5 below, the EncryptFile() function accepts a file name and a directory path as arguments for\r\nfile encryption using AES (Advanced Encryption Standard) encryption method. Each file is encrypted using a\r\nunique key, further encoded with base64, and written back to the original file. The sample changes the extension\r\nof encrypted files to “.fs_invade”. \r\nFigure 5: File Encryption \r\nOnce the file is encrypted, the malware drops a text file to the same directory with the name\r\n“Полномасштабное_кибервторжение.txt” (translated in English as “Full-scale_cyber-invasion.txt”)  \r\nThe contents of this text file is shown below (translated to English): \r\n“On February 24, President Vladimir Putin declared war on Ukraine. \r\n“To counter this, I, the creator of RU_Ransom, created this malware to harm Russia. You bought this for\r\nyourself, Mr. President.”, \r\n“There is no way to decrypt your files. No payment, only damage. And yes, it’s “peacekeeping” like Vladi Papa\r\ndoes, killing innocent civilians,” \r\n“And yes, it was translated from Bangla to Russian using Google Translate…”” \r\nWhile looking into the encryption key generation further, the sample was shown to use the text length of\r\n“FullScaleCyberInvasion \u003cMachineName\u003e” and “RU_Ransom \u003cUserName\u003e 2022” to create the encryption\r\ncipher, as shown in Figure 6. \r\nhttps://blogs.vmware.com/security/2022/04/ruransom-a-retaliatory-wiper.html\r\nPage 4 of 8\n\nFigure 6: Encryption key generation \r\nCustomer Protection \r\nRURansom is blocked and detected by existing policies within VMware Carbon Black products. To learn more\r\nabout further ransomware behaviour, detection and protection capabilities within the VMware Carbon Black suite\r\nof products against RURansom, you may refer to the following blog post: TAU-TIN – Ransomware Threats \r\nMITRE ATT\u0026CK TIDs \r\nTID  Tactic  Description \r\nT1047  Execution \r\nWindows Management Instrumentation (WMI) to execute malicious commands and\r\npayloads \r\nT1083  Discovery  File and Directory Discovery  \r\nT1485  Impact  Data Destruction \r\nT1486  Impact  Data Encrypted for Impact \r\nT1490  Impact  Deletes Windows volume shadow copies, Disable start-up repairs  \r\nTable 1: MITRE ATT\u0026CK TIDs \r\nYARA:  \r\nRule RURansom_wiper {  \r\n    meta:  \r\n           description = “RURansom Wiper”  \r\n           author = “VMware Threat Research”  \r\nhttps://blogs.vmware.com/security/2022/04/ruransom-a-retaliatory-wiper.html\r\nPage 5 of 8\n\nexemplar_hashes = “7c935dcd672c4854495f41008120288e8e1c144089f1f06a23bd0a0f52a544b1”  \r\n    strings:  \r\n        $string1 = “RU_Ransom” wide ascii nocase  \r\n        $string2 = “RURansom” wide ascii nocase  \r\n        $string3 = “.fs_invade” wide ascii nocase  \r\n        $string4 = “Russia” wide ascii nocase  \r\n    condition:  \r\n        uint16(0) == 0x5A4D and all of them  \r\n} \r\nIndicators of Compromise (IOCs) \r\nIndicator  Type  Context \r\nfb4f3d9421cf8d35de950ad52ff4dca3a0c3e84c3c770c09c3cf6bbcc540e9d4  SHA256  RURansom \r\nd02ede8735c319012923efc6d4befa78f39fcb6c4ce40cb37a45b419a2efc923  SHA256  RURansom \r\n009ce5fcce062d699db46559badcf259eb925fcfcf374c0bdea8eb13d5750edf  SHA256  RURansom \r\nae00bb69f06936ac9afb0475d4b3ddf592e4c61e68327be2051211533a57d919  SHA256  RURansom \r\n70e8a9b39aa7dd91c461c32ddfeb090b3699e5984beb610787c92afd24ad546b  SHA256  RURansom \r\na932b37f6ebadfca08beb990cf784ac247317abbc42c72a9961f8d4a1fe7e1fb  SHA256  RURansom \r\n26e75390015ba36c2723d35ed7a227064892979ad331e0a728e39673feaa24c2  SHA256  RURansom \r\n2548ad9263dd94109ab22393a08f77364d96c48b0b96640cb530818adb9c08f0  SHA256  RURansom \r\ne0c4021b38f4d2f1e13d0a8374c8ef081be458fc3031e7ad49795a65a013cb43  SHA256  RURansom \r\nceebcd4472623db39026ae89dc0737d0cdec631cd763d9717d0f4a822a3a2085  SHA256  RURansom \r\n107da216ad99b7c0171745fe7f826e51b27b1812d435b55c3ddb801e23137d8f  SHA256  RURansom \r\n1f36898228197ee30c7b0ec0e48e804caa6edec33e3a91eeaf7aa2c5bbb9c6e0  SHA256  RURansom \r\n696b6b9f43e53387f7cef14c5da9b6c02b6bf4095849885d36479f8996e7e473  SHA256  RURansom \r\n5104c127b4d56ffe93016582401c250630f6d274  SHA1  RURansom \r\ned2b4ef1c2f1814c40326a094f8874c683dec68b  SHA1  RURansom \r\nhttps://blogs.vmware.com/security/2022/04/ruransom-a-retaliatory-wiper.html\r\nPage 6 of 8\n\n97dae0c8fc302b6cbbc2e31c756909a16630d9c5  SHA1  RURansom \r\n34b9694fe6f5adb63f58217f80b4abb53c48e320  SHA1  RURansom \r\ndf4a28bdd8b743c16d2c9917c6d39030c07f2c09  SHA1  RURansom \r\n8746ab9039ad88ebf8aa822473fa2f9947131d19  SHA1  RURansom \r\nb1261722dd055dc6a5e2d2f3839a91390eac24e8  SHA1  RURansom \r\n085b697d49b103c4a42b20aa8b2f5c4730212653  SHA1  RURansom \r\ndd2a120b485cbf9ff7dd7435ee1d1a3fc4596862  SHA1  RURansom \r\n06c6dc34a9728f67038a7d41bcbe2372a9c4e6e4  SHA1  RURansom \r\na30bf5d046b6255fa2c4b029abbcf734824a7f15  SHA1  RURansom \r\nc35ab665f631c483e6ec315fda0c01ba4558c8f2  SHA1  RURansom \r\nc6ef59aa3f0cd1bb727e2464bb728ab79342ad32  SHA1  RURansom \r\n5028a73d50a0a2bd0abe6a24c660cb65  MD5  RURansom \r\n4ecd4debe942f6a5e45732d8d073b5ec  MD5  RURansom \r\n318d857c4b4c12b1b5d67f37fad616e9  MD5  RURansom \r\na6988a9060278741c0ba3e9028de1f97  MD5  RURansom \r\n9d298f3eaff0db4fb1f5b3160911e3ee  MD5  RURansom \r\na938dbd999f4a1ba7d537c9181c8d902  MD5  RURansom \r\n84e5cf74ecbed6caa3e88b1e00e1dc0d  MD5  RURansom \r\ne5e98aa9efcd4bd83245524ff430b28e  MD5  RURansom \r\n013addcf6e3f3a2e7ff441ccdc0433ce  MD5  RURansom \r\n94a65c7f033faf7efb1348df4a79f498  MD5  RURansom \r\n8fe6f25fc7e8c0caab2fdca8b9a3be89  MD5  RURansom \r\n01ae141dd0fb97e69e6ea7d6bf22ab32  MD5  RURansom \r\n9c3316a9ff084ed4d0d072df5935f52d  MD5  RURansom \r\nTable 2: Indicator of Compromise \r\nhttps://blogs.vmware.com/security/2022/04/ruransom-a-retaliatory-wiper.html\r\nPage 7 of 8\n\nSource: https://blogs.vmware.com/security/2022/04/ruransom-a-retaliatory-wiper.html\r\nhttps://blogs.vmware.com/security/2022/04/ruransom-a-retaliatory-wiper.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.vmware.com/security/2022/04/ruransom-a-retaliatory-wiper.html"
	],
	"report_names": [
		"ruransom-a-retaliatory-wiper.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434225,
	"ts_updated_at": 1775791316,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e94a5fdd924790e01a77f00cc7a5e970c620fd29.pdf",
		"text": "https://archive.orkl.eu/e94a5fdd924790e01a77f00cc7a5e970c620fd29.txt",
		"img": "https://archive.orkl.eu/e94a5fdd924790e01a77f00cc7a5e970c620fd29.jpg"
	}
}