Severity

High

Analysis Summary

RU Ransom appears to be targeting Russian assets in retribution for Russia’s invasion of Ukraine. This malware is developed in .Net and uses AES-CBC with hard-coded salt. It replicates itself on all portable devices, spreading like a worm and mapped network shares under the file name “Россия-Украина_Война-Обновление.doc. exe” which is translated as”Russia-Ukraine_War-Update.doc.exe. in English. After propagating effectively, the malware begins encrypting data. If the designated disc letter is “C:\,”, the files in the folder “C:\Users\” are encrypted. For other detachable and mapped network devices, all files that recursively branch from the root directory are encrypted. The keys are unique for each encrypted file and are not saved, making the encryption irreversible and distinguishing the malware from ransomware variants.

Impact

• File Encryption

Indicators of Compromise

Filename

• RURansom[.]exe
• dnWIPE[.]exe

MD5

• 8fe6f25fc7e8c0caab2fdca8b9a3be89
• 01ae141dd0fb97e69e6ea7d6bf22ab32
• 191e51cd0ca14edb8f06c32dcba242f0
• 9c3316a9ff084ed4d0d072df5935f52d
• fe43de9ab92ac5f6f7016ba105c1cb4e
• 6cb4e946c2271d28a4dee167f274bb80

SHA-256

• 107da216ad99b7c0171745fe7f826e51b27b1812d435b55c3ddb801e23137d8f
• 1f36898228197ee30c7b0ec0e48e804caa6edec33e3a91eeaf7aa2c5bbb9c6e0
• 610ec163e7b34abd5587616db8dac7e34b1aef68d0260510854d6b3912fb0008
• 696b6b9f43e53387f7cef14c5da9b6c02b6bf4095849885d36479f8996e7e473
• 8f2ea18ed82085574888a03547a020b7009e05ae0ecbf4e9e0b8fe8502059aae
• 979f9d1e019d9172af73428a1b3cbdff8aec8fdbe0f67cba48971a36f5001da9

SHA-1

• a30bf5d046b6255fa2c4b029abbcf734824a7f15
• c35ab665f631c483e6ec315fda0c01ba4558c8f2
• fbeb9eb14a68943551b0bf95f20de207d2c761f6
• c6ef59aa3f0cd1bb727e2464bb728ab79342ad32
• 27a16e1367fd3e943a56d564add967ad4da879d8
• 0bea48fcf825a50f6bf05976ecbb66ac1c3daa6b

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment