New RURansom Wiper Targets Russia
Other versions also attempt to start the process with elevated privileges. These different versions and modifications might indicate that the malware was still undergoing development at the time of writing.
Other activities from the same author
Aside from RURansom, the developer appears to have been working on another “wiper” dubbed as “dnWipe.” Its payload is executed every Tuesday.
We analyzed dnWipe and found that it simply encodes content in base64 for the following file extensions: .doc, .docx, .png, .gif, .jpeg, .jpg, .mp4, .txt, .flv, .mp3, .ppt, .pptx, .xls, and .xlsx. Therefore, just as RURansom is not really a ransomware variant, dnWipe also cannot be classified as an example of a wiper malware because its encoding can be decoded easily.
Other binaries that we can attribute with high confidence to the same developer indicate their other interests. For one, they have also compiled a downloader for an XMRig binary, showing an inclination for cryptocurrency mining.
Conclusion
No one can be indifferent to the conflict between Ukraine and Russia. People all over the world are actively taking sides, and malware developers are no exception.
As this blog entry shows, the exchange of attacks in cyberspace is reflective of this conflict: Leaks have exposed Russian-based cybercriminal groups behind Conti and TrickBot, while a destructive wiper has attacked organizations in Ukraine. Now, the RURansom wiper is seeking out Russian targets.
We see RURansom as just one attempt among a growing list of attacks that aim to support a position espoused strongly by an individual or a group. While we have not yet found any victims of this malware, seeing the evolution in its code leads us believe that its developer will keep updating their malware in an effort to deal some form of damage on Russia.
In general, the tense geopolitical situation has added an edge to cyberattacks. Ultimately, keeping defenses up, staying vigilant against misinformation, and monitoring the situation is essential in order to navigate this uncertain state of affairs.
For more guidance on managing today’s cyber risks, please see our earlier blog post here.