RU_Ransom is one of the few wipers/ransomware that targeted Russia instead of Ukraine. The ransom note of this ransomware provides a lot of context. First, it is written in Russian, but the author admins that they translated it from "Bangla" to Russian. Also, the author indicates that there is no intention of receiving a ransom and that this is only meant for data destruction using AES-256-CBC. This was a retaliatory wiper used against Russian entities. This is evident because it only runs against Russian IP addresses. As such, we've labeled this a crypto-ransomware and wiper because it performs traditional ransomware operations but is intended as a wiper. Also, we've put the country of origin as Bangladesh, but whether the author is being honest is another story.
We were able to discover five samples in the wild, all of which we analyzed, and we determined that they were all almost entirely identical. So, there is one ransom note and ransom note file name because the same one was used in all five samples. There was a sixth sample that contained slightly different behavior and used the name dnWipe.exe. Although, this variant wasn't completed and contained enough different behavior to warrant a separate variant - dnWipe.
