Ransomware - RU_Ransom

RU_Ransom
Aliases
RURansom
Decryptor Available
No
Description

RU_Ransom is one of the few wipers/ransomware that targeted Russia instead of Ukraine. The ransom note of this ransomware provides a lot of context. First, it is written in Russian, but the author admins that they translated it from "Bangla" to Russian. Also, the author indicates that there is no intention of receiving a ransom and that this is only meant for data destruction using AES-256-CBC. This was a retaliatory wiper used against Russian entities. This is evident because it only runs against Russian IP addresses. As such, we've labeled this a crypto-ransomware and wiper because it performs traditional ransomware operations but is intended as a wiper. Also, we've put the country of origin as Bangladesh, but whether the author is being honest is another story.

We were able to discover five samples in the wild, all of which we analyzed, and we determined that they were all almost entirely identical. So, there is one ransom note and ransom note file name because the same one was used in all five samples. There was a sixth sample that contained slightly different behavior and used the name dnWipe.exe. Although, this variant wasn't completed and contained enough different behavior to warrant a separate variant - dnWipe.

Ransomware Type
Crypto-Ransomware
Wiper
Country of Origin
Bangladesh
First Seen
Last Seen
Extortion Types
Pseudo-Extortion
Encryption
Type
Symmetric
Files
AES-256-CBC
File Extension
<file name>.fs_invade
Ransom Note Name
Полномасштабное_кибервторжение.txt
Ransom Note Image
Samples (SHA-256)
107da216ad99b7c0171745fe7f826e51b27b1812d435b55c3ddb801e23137d8f
1f36898228197ee30c7b0ec0e48e804caa6edec33e3a91eeaf7aa2c5bbb9c6e0
696b6b9f43e53387f7cef14c5da9b6c02b6bf4095849885d36479f8996e7e473
8f2ea18ed82085574888a03547a020b7009e05ae0ecbf4e9e0b8fe8502059aae
979f9d1e019d9172af73428a1b3cbdff8aec8fdbe0f67cba48971a36f5001da9