RURansom Wiper is targeting Russian assets, which appear to be a direct retaliation of Russian invasion on
Ukraine. The malware is written in .net and is using AES-CBC with hard coded salt.The keys are unique for each encrypted file and are not stored anywhere, making the encryption irreversible and marking the malware as a
wiper rather than a ransomware variant. The ransom note is of political nature as well, it is as stated below.
On February 24, President Vladimir Putin declared war on Ukraine.", "To counter this, I, the creator of RU_Ransom, created this malware to harm Russia. You bought this for yourself, Mr. President.", "There is no way to decrypt your files. No payment, only damage. And yes, this is "peacekeeping" like Vladi Papa does, killing innocent civilians", "And yes, it was translated from Bangla into Russian using Google Translate... (This is a direct translation.)
RURansom Sample 1 Signatures
Family: Backdoor:Win32/Bladabindi!ml
MD5: 6cb4e946c2271d28a4dee167f274bb80
SHA256: 979f9d1e019d9172af73428a1b3cbdff8aec8fdbe0f67cba48971a36f5001da9
RURansom Sample 1 Download
RURansom Sample 2 Signatures
Family:
MD5: 191e51cd0ca14edb8f06c32dcba242f0
SHA256: 610ec163e7b34abd5587616db8dac7e34b1aef68d0260510854d6b3912fb0008
RURansom Sample 2 Download