RuRansom Wiper Destroys Data on Russian Systems

By Riley ThompsonTechnology News

RuRansom Wiper Targets Russian Systems and Destroys Data

VMware specialists have issued a warning about the activity of the RuRansom wiper, which is attacking Russian systems and deliberately destroying their data, including backups. Unlike typical ransomware that demands payment from victims, the creator of RuRansom does not ask for money and is solely focused on causing damage to Russia.

Back in early March, Trend Micro analysts reported on RuRansom, cautioning users and companies about the dangers of this new wiper (from the English “to wipe”). According to the company, the malware first appeared on February 26 and was designed as destructive software specifically to erase victims’ backups and data.

VMware experts, who have now conducted their own analysis, report that the wiper is written in .NET and spreads like a worm by copying itself as a file with a double extension (doc.exe) to all removable drives and connected network resources.

How RuRansom Works

Once launched on a victim’s machine, the malware immediately calls the IsRussia() function, checking the system’s public IP address using the well-known service at https://api.ipify.org. RuRansom then uses this IP address to determine the machine’s geographic location via a geolocation service, using a URL format like https://ip-api.com/<public ip>.

If the victim is not located in Russia, the malware displays the message: “This program can only be run by Russian users” and stops execution.

If the process is not interrupted, the malware obtains administrator privileges using cmd.exe /c powershell start-process <executing assembly path> -verb runas and begins encrypting data. Encryption is applied to all file extensions except for .bak files, which are deleted. Files are encrypted using the AES-CBC algorithm with a hardcoded salt and a randomly generated key of length equal to base64(“FullScaleCyberInvasion + ” + MachineName).

No Ransom, Only Destruction

The note left by the malware’s author in the code and in the file “FullScaleCyberInvasion.txt” states that no ransom is required and that the goal is to harm Russia in retaliation for the “special military operation” in Ukraine.

“There is no way to decrypt your files. No payment, only damage,” the developer declares in a message translated via Google Translate.

Leave a Reply