Understanding the RuRansom Malware – A Retaliatory Wiper

 This research was performed by Sudhir Devkar of the Threat Analysis Unit (TAU) 

Summary 

RuRansom is ransomware that is specifically targeting Russian systems. During ongoing cyber warfare between Russia and Ukraine, TAU has already seen different malware-attacks like WhisperGate, IsaacWiper, and HermeticWiper. RuRansom is a new addition to this destructive malware series. It is purposefully designed to destroy the victim’s backup and data.  

Behavioural Summary 

Due to the language and method by which the malware was created, there were indicators that detailed many original function and variable names. These values will be referenced in this write-up. 

Upon execution, the malware immediately calls a function named IsRussia(), checks the system’s public IP address using a known IP address service, located at https://api[.]ipify[.]org . Later, it uses the IP address to determine the geographical location of machine, by using a known geolocation service, with the URL structure of https://ip-api[.]com/#<public ip>, as shown in Figure 1. 

If the victim machine’s geolocation does not contain the word “Russia”, then the sample shows message box with message “Программу могут запускать только российские пользователи” (English translation “The program can only be run by Russian users”) and terminates execution.  

The below image in Figure 1 shows this code, detailing that the malware is specifically targeted to systems associated with Russia.  

Figure 1: GeoLoaction Check 

As a next step, the malware checks for administrator privilege. If not running under administrator privilege it uses the command line “cmd.exe /c powershell start-process <executing assembly path> -verb runas” to escalate its privilege. This code is shown in Figure 2. 

Figure 2: Elevated Privilege check 

Once these above checks are completed, the malware begins to collect drive information. 

If a drive is removable, or a network drive, the malware spreads there by dropping a copy of itself with the filename “Россия-Украина_Война-Обновление.doc.exe” (English translated: “Russia-Ukraine_War-Update.doc.exe”) 

Also, the sample checks if the targeted drive is “C:”. If so, it targets encryption to just the “C:\Users\<current user>” folder, skipping all other folders. 

For any hard drives other than “C:”, the sample targets every folder and file for encryption. The code representing these steps is highlighted in Figure 3. 

Figure 3: Get Drive Info 

In the encryption routine, shown in Figure 4 below, the sample first checks the path passed as an argument for encryption. If path is not equal to %AppData% location, the malware enumerates a list of files and directory. %AppData% is a known Windows path for storing configuration data for the current user account’s installed applications. Further, the malware checks if a file has the extension “.bak”. If so, the file will be deleted to hinder recovery. All other files are encrypted via the EncryptFile() function. The malware continues this recursively until all directories are enumerated and all files encrypted. 

Figure 4: Files and Directory enumeration 

As shown in Figure 5 below, the EncryptFile() function accepts a file name and a directory path as arguments for file encryption using AES (Advanced Encryption Standard) encryption method. Each file is encrypted using a unique key, further encoded with base64, and written back to the original file. The sample changes the extension of encrypted files to “.fs_invade”. 

Figure 5: File Encryption 

Once the file is encrypted, the malware drops a text file to the same directory with the name “Полномасштабное_кибервторжение.txt” (translated in English as “Full-scale_cyber-invasion.txt”)  

The contents of this text file is shown below (translated to English): 

“On February 24, President Vladimir Putin declared war on Ukraine. 

“To counter this, I, the creator of RU_Ransom, created this malware to harm Russia. You bought this for yourself, Mr. President.”, 

“There is no way to decrypt your files. No payment, only damage. And yes, it’s “peacekeeping” like Vladi Papa does, killing innocent civilians,” 

“And yes, it was translated from Bangla to Russian using Google Translate…”” 

While looking into the encryption key generation further, the sample was shown to use the text length of “FullScaleCyberInvasion <MachineName>” and “RU_Ransom <UserName> 2022” to create the encryption cipher, as shown in Figure 6. 

Figure 6: Encryption key generation 

Customer Protection 

RURansom is blocked and detected by existing policies within VMware Carbon Black products. To learn more about further ransomware behaviour, detection and protection capabilities within the VMware Carbon Black suite of products against RURansom, you may refer to the following blog post: TAU-TIN – Ransomware Threats 

MITRE ATT&CK TIDs 

Table 1: MITRE ATT&CK TIDs 

YARA:  

Rule RURansom_wiper {  

    meta:  

           description = “RURansom Wiper”  

           author = “VMware Threat Research”  

           exemplar_hashes = “7c935dcd672c4854495f41008120288e8e1c144089f1f06a23bd0a0f52a544b1”  

    strings:  

        $string1 = “RU_Ransom” wide ascii nocase  

        $string2 = “RURansom” wide ascii nocase  

        $string3 = “.fs_invade” wide ascii nocase  

        $string4 = “Russia” wide ascii nocase  

    condition:  

        uint16(0) == 0x5A4D and all of them  

} 

Indicators of Compromise (IOCs) 

Table 2: Indicator of Compromise