RURansom Wiper is targeting Russian assets, which appear to be a direct retaliation of Russian invasion on Ukraine
. The malware is written in .net and is using AES-CBC with hard coded salt.The keys are unique for each encrypted file and are not stored anywhere, making the encryption irreversible and marking the malware as a wiper
rather than a ransomware variant. The ransom note is of political nature as well, it is as stated below.
On February 24, President Vladimir Putin declared war on Ukraine.", "To counter this, I, the creator of RU_Ransom, created this malware to harm Russia. You bought this for yourself, Mr. President.", "There is no way to decrypt your files. No payment, only damage. And yes, this is "peacekeeping" like Vladi Papa does, killing innocent civilians", "And yes, it was translated from Bangla into Russian using Google Translate... (This is a direct translation.)
RURansom Sample 1 Signatures
RURansom Sample 1 Download
RURansom Sample 2 Signatures
RURansom Sample 2 Download