Russia under Attack from New RURansom Wiper

Threat Level – Amber | Vulnerability Report
Download PDF

For a detailed advisory, download the pdf file here

A series of Wiper Malware attacks have been launched in the continuing cyber war between Russia and Ukraine. Researchers have discovered the RURansom wiper malware, which adds to the current collection of harmful malware.

The RURansom malware traces the IP location of the victim machine and is executed only if it detects an IP belonging to Russia. If the malware does not get Admin privileges, it tries to execute itself in the elevated mode using a PowerShell command. The RURansom wiper malware proceeds to scan the drives, the removable and network drives and then encrypt the victim’s system using AES-CBC encryption. The malware renames itself as Россия-Украина_Война-Обновление.doc.exe (Russia-Ukraine_War-Update.doc.exe) and spreads as worm to all connected systems. The files encrypted by the RURansom wiper malware are irreversible.

The Organizations can mitigate the risk by following the recommendations: •Use multi-factor authentication. •Keep all operating systems and software up to date. •Remove unnecessary access to administrative shares. •Maintain offline backups of data and Ensure all backup data is encrypted and immutable. •Enable protected files in the Windows Operating System for critical files.

The MITRE TTPs commonly used by RURansom are:

​T1204:  User Execution 

T1518: Security Software Discovery

T1087: Account Discovery

T1083: File and Directory Discovery

T1485: Data Destruction

T1486: Data Encrypted for Impact

T1565: Data Manipulation

Indicators of Compromise (IoCs)


What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox