Skip to main content

Another Hackers Group Novel RURansom wiper targets Russia, motives revealed in the code.

 



Initially suspected to be a strain of ransomware, the RURansom malware appears to be a wiper targeting Russia over Moscow's war against Ukraine.

Researchers at Trend Micro claim that the novel RURansom malware is not what it seems. First thought to be a new strain of ransomware, as the name implies, the authors of the bug seem to have motives beyond financial gain.

According to security researchers, no active targets have been seen so far. However, that can be due to the wiper targeting specific entities in Russia.

The authors of the malware do not hide their reasons for spreading the malware. The RURansom code variable responsible for the ransom note contains a message.

"On February 24, President Vladimir Putin declared war on Ukraine. To counter this, I, the creator of RU_Ransom, created this malware to harm Russia. You bought this for yourself, Mr. President. There is no way to decrypt your files. No payment, only damage," reads the note in Russian.

Trend Micro claims that the malware was written in the .NET programming language. The worm spreads by copying itself under the file name in Russian "Russia-Ukraine war update."

The file copies itself to all removable disks and mapped network shares, trying to reach maximum impact.

Once the deployment is complete, the malware encrypts the files. No files are spared the encryption. While .bak files are not encrypted, the malware proceeds to delete them.

The encryption algorithm assigns a random encryption key to each file. Since the keys are not stored anywhere, there's no way to decrypt the files, making the malware a wiper and not ransomware.

According to researchers, some versions of the malware first check if the user's IP address is in Russia.

"In cases where the software is launched outside of Russia, these versions will stop execution, showing a conscious effort to target only Russian-based computers," claim authors of the report.

Wiper warfare

It is not the first time a wiper malware was deployed in this conflict. Security researchersobserved a disk-wiping malware deployed in Ukraine shortly before Russian forces invaded.

The wiper contains driver files that eventually damage the Master Boot Record (MBR) of the infected computer, rendering it inoperable.

According to Crowdstrike, the attackers misused legitimate EaseUS Partition Master drivers to gain raw disk access and manipulate the disk to make the system inoperable.

Ukraine-refugees-crossing
Refugees fleeing Ukraine.

The wiper was dubbed HermeticWiper since the malware's certificate was issued to Hermetica Digital Ltd., a legitimate Cyprus-based company. Other researchers named the novel malware 'DriveSlayer.'

CISA released an advisory on the malware that targeted organizations in Ukraine, with recommendations and strategies to prepare for and respond to the threat.

Security researchers fleeing Ukraine later saidthat the wiper malware was used to disrupt refugees escaping the war in Ukraine, forcing officials to fall back to using pen and paper.

Russian invasion

On the night of February 24, Russian forces invaded Ukraine. In light of the attack, the hacker community started rallying to help Ukrainians.

With Anonymous being the most prominent one, numerous hacker groups and researchers partake in various campaigns to help Ukraine. 

Cyber activists targeted Russian state-controlled media outlets TASS, Kommersant, Izvestia, Fontanka, and RBC, pushing them offline.

An unknown group has set up a website tool that allows people to participate in distributed denial of service (DDoS) attacks against Russian websites that it claims are spreading disinformation.

Others created an 'anti-war hotline' that allows Russian speakers and expats from around the world to call citizens and inform of the atrocities being committed in their name by Vladimir Putin in Ukraine.

Additionally, cybersecurity firms are urgingordinary civilians to join the cyberwar by means of an app that allows them to attack Russian websites spreading disinformation.

Numerous IT-related services got blocked or left the Russian market after the invasion.

According to the United Nations, over 2 million people have fled Ukraine to neighboring counties, while thousands of civilians have perished amidst the fighting.


Comments

Popular posts from this blog

UGANDA ELECTORAL COMMISSION TO ELIMINATE NATIONAL IDENTIFICATION CARDS (IDs) FOR 2021 GENERAL ELECTIONS.

The elimination of using National IDs (Ndagamuntu) for the 2021 elections should not have come as a surprise. One would be very NAIVE to think that Bobi Wine has not prepared for this in his Business Plan under the RISK section. It is public knowledge that our EC is not independent.  It is also public knowledge that Military Dictator Yoweri Museveni will never lose an election. What stunned us this morning is when we noticed that on social media, people were mocking Bobi with his "get your Ndagamuntu".  We are on record for saying to all Our readers that the National ID is like Apartheid in South Africa. Students of History would know how those IDs were being used to arrest people, deny them jobs, deny them basic services. Consequently, Bobi was not wrong and will never be wrong on the Ndagamuntu. Except the ones attacking him and mocking him forget that in Uganda, now, no National ID (Ndagamuntu), no service.  If you have not been denied registering your child i...

Here is Why Our Utterances For Praying Jesus And God To Come Liberate Ugandans, May Be Misplaced. This Phrase is like inform of a Letter To Some Categorized Section Of Ugandans.

https://m.facebook.com/yusufosuta/photos/a.1896701010557789/2070383359856219/?type=3 OPEN LETTER TO NRM SUPPORTERS - NATIONAL ROBBERS MOVEMENT. .................................................................................. Last week of March, a friend told me to pray for Uganda.  I told him that he was an Idiot and we have prayed for too long and we are still hungry and sick and Jesus is not coming soon to liberate us. He then ignored the STUPID and sent me a picture we all now know.  It got me totally messed up.  This guy was telling me to pray then sends a picture of men bowing down in blood.  He might have meant guns but I blocked him because his utterances of praying for Uganda were misplaced. I unblocked him 3 weeks later and asked him about praying and assassinations.  His reply "eithrr prayers or guns or both". I hate violence with a passion.  So he is now blocked in like FOREVER. Do you feel safe?  Do not feel safe. Uganda regim...

CAN I CHANGE MY MIND ABOUT THE INHERITANCE I RECEIVED AND ASK FOR SOMETHING ELSE ?.

#iip_updates . #Information_is_Power . Read more here https://informationispowah.blogspot.com/2023/07/can-i-change-my-mind-about-inheritance.html in the link. #we_inform_the_uninformed . Okello lost his wife 20 years ago and decided to only focus on their Mateo, Yona and Yosefu. 20 years later, Okello had 7 acres of land, a successful poultry business, and sinotrucks for hire. Early this year, Okello got a call telling him that one of his trucks knocked a boda boda. Okello decided to rush to see if he could sort it out before police became involved. Unfortunately, he never made it, as he was entering the main road, another trailer rammed into him and killed him instantly.   After Okello had been laid to rest, his sons sat down and divided the property amongst themselves. However, of late, Yosefu the last born has started complaining that he was cheated, and he wants to be given something else because most of the chicken in the chicken business died of a fever.   Can ...