RURansom Wiper

RURansom is the name of a new strain of malware called a wiper, which shares some characteristics with ransomware but is designed to be destructive immediately, rather than demand a ransom for decryption. This means that if any wiper malware gets onto a system, data loss is assured.

RURansom surfaced on the internet as early as March 1st 2022. There has been no mention yet of an attack vector. Deliver of the payload to the victim network and devices is not yet fully known. It is likely though, that standard deployment method would apply; such as email attachments, hyperlinks, Java exploits, and others generally accepted vectors. It is known that the malware uses a geolocation string to verify that the target network as it is currently focused on Russia. Below is the code for the geolocation scripting in a screenshot for reference.

geolocation scripting

Once the malware is executed on a target machine, it first attempts to run as admin; if it fails, it attempts to run in an elevated permissions mode using the following PowerShell command:

cmd.exe /c powershell stART-PRoceSS Assembly.GetExecutingAssembly().Location  -veRB rUnAS

Drives connected as Local, removable and/or network drives on the victim PC are scanned and then added to the encryption process leaving all files with a randomized on a per file basis with a unique AES cipher. No decrypt key is generated, and .Bak files are deleted upon detection in this phase, making this a pure malicious malware. The malware file then renames itself as Россия-Украина_Война-Обновление.doc.exe (Russia-Ukraine_War-Update.doc.exe) and then proceeds to attack any other systems connected to the initial victims device or network. Below is the code example used to generate the AES cipher for the encryption:

AES cipher code

Thoughts and Recommendations

While RURansom on the surface appears to be localized, we suspect it is only time before its application is more wide spread. As RURansom becomes more well known in its design, it is only a matter of time, we think before, another attacker changes the target geodata, among other changes, and launches teh malware more global.

It is prudent that standard recommendations for social engineering, ransomware protection, and other cyber security should apply. Social engineering training should be part of an organizations employee training regimen, and this malware attack form should be added to the list of things to watch for.