Ransomware attacks have been increasing rapidly. The Two countries Ukraine and Russia have been facing severe ransomware attacks in the past few weeks. Many were state-sponsored but some were personal.
But this attack was something no one would’ve imagined about. Ransomware is being spread recently but it has a different motto. Instead of traditional ransomware which only asks for money to decrypt, this one asks to “Stop the War”.
Unlike other ransomware which leaves a .txt file that will contain the information for the payout and BTC wallet address, this ransomware leaves a .html file that reads as “RUSSKIJ VOENNIJ KORABL IDI NAHUJ” which translates as “RUSSIAN WARSHIP GO F**K”. This ransomware encrypts the files with an extension “.putinwillburnunhell”.
Researchers at Cyble conducted an OSINT (Open Source Intelligence) analysis on the samples which discovered that this ransomware originated from Poland. They also discovered that this malware might be targeted at Russia.
The malware has an hash value “9f3c1668ee44bfcd1afd599215f5bd73c76609776b78cb04bb6ef1121cc80d37” . The malware has x64 architecture which was written in C/C++ and dates back to 2022-03-04 at 15:17:53. The working process of the malware has different stages as stated by Cyble.
- Changing Priority
- Identifying the services running
- Terminating active processes
- Checking for a Mutex
- Identifying mounted drives
- Exclusion of certain files and folders from encryption
- Changing Priority
Once the malware is deployed, it first changes the process priority to zero. This is done by calling the SetProcessShutdownParameters() API. It ensures that the process of this malware is terminated only when the system hits shutdown which increases the time duration for the execution in the victim machine.
2. Establishing a Connection to the Service Database
In order to identify the services that are running in the system, it uses the OpenSCManagerA() API which establishes a connection between the malware and the service control manager database. After getting connected, it terminates the services running on the system which include Memtas, SQL, VSS, mepocs etc.
3. Terminating active processes
Along with services, it also checks for processes running on the system such as oracle.exe, ocssd.exe, dbsnmap.exe, synctime.exe etc.,
Additionally, the malware calls the SHEmptyRecycleBinA() API for emptying the Recycle Bin to ensure files that were deleted before the encryption are not restored after encryption.
4. Checking for Mutex
The code that was found indicated that the malware tries to open a mutex with a name “Microsoft Corporation” inside the affected machine If it is not found, the malware creates a new mutex and continues infection.
5. Identifying mounted drives
Once it creates the mutex, the malware starts to encrypt the files by identifying the volumes that are present in the machine. Additionally, it also enumerates mounted drives in the system.
The malware encrypts all the files inside the system volumes but excludes CD-ROM. The malware will encrypt the file with the extension “.putinwillburnunhell” leaving an HTML file in Desktop.
7. Exclusion of certain files and folders from encryption
During the encryption, this ransomware leaves certain folders, files, and certain extensions without encrypting them.
Folders: AppData, Boot, Windows, Windows.old, Tor Browser, Internet Explorer, Google, Opera, Opera Software, Mozilla, Mozilla Firefox, ProgramData, Program Files, and Program Files (x86)
Files : autorun.inf, boot.ini, bootfont.bin, bootsect.bak, bootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db, ntldr, and ntuser.dat
Extensions : putinwillburninhell, .hta, .exe, .dll, .cpl, .ini, .cab, .cur, .drv, .hlp, .icl, .icns, .ico, .idx, .sys, .spl, .ocx
Organizations must strengthen their security measures and keep all the software securities up-to-date.