Threat Research

New RURansom Wiper Targets Russia

Securonix

RURansom is a wiper targeting Russia, not a ransomware variant, as encryption is irreversible. It spreads like a worm via removable disks and mapped network shares, encrypting files and dropping a wiper note, while some versions exhibit geo-targeting and obfuscation. Hashtags: #RURansom #Russia #dnWipe #XMRig #Conti #TrickBot

Keypoints

  • RURansom is a .NET-based wiper that encrypts files on multiple drives and network shares with per-file keys using AES-CBC, making recovery infeasible.
  • The malware propagates as a worm by copying itself under the name “Россия-Украина_Война-Обновление.doc.exe” to removable disks and mapped shares.
  • Encryption applies to all file extensions except “.bak,” which are deleted, and the ransom note is a separate drop (the note discusses decryption impossibility).
  • Some variants check if the malware is launched from Russia and stop when run outside Russia, indicating geographic targeting.
  • Obfuscation is used in at least one version (ConfuserEx), and some builds attempt privilege escalation.
  • There are related activities from the same author, including “dnWipe” (a separate wiper) and a downloader for an XMRig binary, suggesting broader malware interests.

MITRE Techniques

  • [T1091] Replication Through Removable Media – The malware spreads as a worm by copying itself under the file name “Россия-Украина_Война-Обновление.doc.exe” to all removable disks and mapped network shares. “The malware is written in .NET programming language and spreads as a worm by copying itself under the file name ‘Россия-Украина_Война-Обновление.doc.exe’ to all removable disks and mapped network shares.”
  • [T1486] Data Encrypted for Impact – Encryption is AES-CBC with per-file keys; keys are not stored, making encryption irreversible. “The encryption algorithm is AES-CBC using a hard-coded salt. The keys are unique for each encrypted file and are not stored anywhere, making the encryption irreversible…”
  • [T1027] Obfuscated/Compressed Files or Information – Some versions use code obfuscation (ConfuserEx). “one version using ConfuserEx for obfuscation.”
  • [T1105] Ingress Tool Transfer – A downloader component is present (downloader for an XMRig binary), implying capability to bring in additional payload. “They have also compiled a downloader for an XMRig binary, showing an inclination for cryptocurrency mining.”
  • [T1548] Abuse Elevation for Privilege – Some variants attempt to start the process with elevated privileges. “Other versions also attempt to start the process with elevated privileges.”
  • [T1485] Data Destruction – The note and behavior indicate destructive intent (no decryption). “There is no way to decrypt your files. No payment, only damage.”

Indicators of Compromise

  • [SHA256] – 107da216ad99b7c0171745fe7f826e51b27b1812d435b55c3ddb801e23137d8f, 1f36898228197ee30c7b0ec0e48e804caa6edec33e3a91eeaf7aa2c5bbb9c6e0, 610ec163e7b34abd5587616db8dac7e34b1aef68d0260510854d6b3912fb0008, 696b6b9f43e53387f7cef14c5da9b6c02b6bf4095849885d36479f8996e7e473, 8f2ea18ed82085574888a03547a020b7009e05ae0ecbf4e9e0b8fe8502059aae, 979f9d1e019d9172af73428a1b3cbdff8aec8fdbe0f67cba48971a36f5001da9
  • [File Name] propagation file name – Россия-Украина_Война-Обновление.doc.exe, Russia-Ukraine_War-Update.doc.exe
  • [File Name] ransom/note file – Полномасштабное_кибервторжение.txt

Read more: https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html