Initially suspected to be a strain of ransomware, the RURansom malware appears to be a wiper targeting Russia over Moscow's war against Ukraine.
Researchers at Trend Micro claim that the novel RURansom malware is not what it seems. First thought to be a new strain of ransomware, as the name implies, the authors of the bug seem to have motives beyond financial gain.
According to security researchers, no active targets have been seen so far. However, that can be due to the wiper targeting specific entities in Russia.
The authors of the malware do not hide their reasons for spreading the malware. The RURansom code variable responsible for the ransom note contains a message.
"On February 24, President Vladimir Putin declared war on Ukraine. To counter this, I, the creator of RU_Ransom, created this malware to harm Russia. You bought this for yourself, Mr. President. There is no way to decrypt your files. No payment, only damage," reads the note in Russian.
Trend Micro claims that the malware was written in the .NET programming language. The worm spreads by copying itself under the file name in Russian "Russia-Ukraine war update."
The file copies itself to all removable disks and mapped network shares, trying to reach maximum impact.
Once the deployment is complete, the malware encrypts the files. No files are spared the encryption. While .bak files are not encrypted, the malware proceeds to delete them.
The encryption algorithm assigns a random encryption key to each file. Since the keys are not stored anywhere, there's no way to decrypt the files, making the malware a wiper and not ransomware.
According to researchers, some versions of the malware first check if the user's IP address is in Russia.
"In cases where the software is launched outside of Russia, these versions will stop execution, showing a conscious effort to target only Russian-based computers," claim authors of the report.
The wiper contains driver files that eventually damage the Master Boot Record (MBR) of the infected computer, rendering it inoperable.
According to Crowdstrike, the attackers misused legitimate EaseUS Partition Master drivers to gain raw disk access and manipulate the disk to make the system inoperable.
The wiper was dubbed HermeticWiper since the malware's certificate was issued to Hermetica Digital Ltd., a legitimate Cyprus-based company. Other researchers named the novel malware 'DriveSlayer.'
CISA released an advisory on the malware that targeted organizations in Ukraine, with recommendations and strategies to prepare for and respond to the threat.
Security researchers fleeing Ukraine later said that the wiper malware was used to disrupt refugees escaping the war in Ukraine, forcing officials to fall back to using pen and paper.
On the night of February 24, Russian forces invaded Ukraine. In light of the attack, the hacker community started rallying to help Ukrainians.
With Anonymous being the most prominent one, numerous hacker groups and researchers partake in various campaigns to help Ukraine.
Cyber activists targeted Russian state-controlled media outlets TASS, Kommersant, Izvestia, Fontanka, and RBC, pushing them offline.
An unknown group has set up a website tool that allows people to participate in distributed denial of service (DDoS) attacks against Russian websites that it claims are spreading disinformation.
Others created an 'anti-war hotline' that allows Russian speakers and expats from around the world to call citizens and inform of the atrocities being committed in their name by Vladimir Putin in Ukraine.
Additionally, cybersecurity firms are urging ordinary civilians to join the cyberwar by means of an app that allows them to attack Russian websites spreading disinformation.
Numerous IT-related services got blocked or left the Russian market after the invasion.
According to the United Nations, over 2 million people have fled Ukraine to neighboring counties, while thousands of civilians have perished amidst the fighting.
More from Cybernews:
Subscribe to our newsletter