Cyber Security News

A New AntiWar Ransomware That Sends out a Message to Stop the War Instead of Ransom

Ransomware attacks have been increasing rapidly. The Two countries Ukraine and Russia have been facing severe ransomware attacks in the past few weeks. Many were state-sponsored but some were personal.

But this attack was something no one would’ve imagined about. Ransomware is being spread recently but it has a different motto. Instead of traditional ransomware which only asks for money to decrypt, this one asks to “Stop the War”.

Unlike other ransomware which leaves a .txt file that will contain the information for the payout and BTC wallet address, this ransomware leaves a .html file that reads as “RUSSKIJ VOENNIJ KORABL IDI NAHUJ” which translates as “RUSSIAN WARSHIP GO F**K”. This ransomware encrypts the files with an extension “.putinwillburnunhell”.

Researchers at Cyble conducted an OSINT (Open Source Intelligence) analysis on the samples which discovered that this ransomware originated from Poland. They also discovered that this malware might be targeted at Russia.

Technical Details

The malware has an hash value “9f3c1668ee44bfcd1afd599215f5bd73c76609776b78cb04bb6ef1121cc80d37” . The malware has x64 architecture which was written in C/C++ and dates back to 2022-03-04 at 15:17:53. The working process of the malware has different stages as stated by Cyble.

  1. Changing Priority
  2. Identifying the services running
  3. Terminating active processes
  4. Checking for a Mutex
  5. Identifying mounted drives
  6. Encryption
  7. Exclusion of certain files and folders from encryption
  1. Changing Priority

Once the malware is deployed, it first changes the process priority to zero. This is done by calling the SetProcessShutdownParameters() API. It ensures that the process of this malware is terminated only when the system hits shutdown which increases the time duration for the execution in the victim machine.

2. Establishing a Connection to the Service Database

In order to identify the services that are running in the system, it uses the OpenSCManagerA() API which establishes a connection between the malware and the service control manager database. After getting connected, it terminates the services running on the system which include Memtas, SQL, VSS, mepocs etc.

3. Terminating active processes

Along with services, it also checks for processes running on the system such as oracle.exe, ocssd.exe, dbsnmap.exe, synctime.exe etc.,

Additionally, the malware calls the SHEmptyRecycleBinA() API for emptying the Recycle Bin to ensure files that were deleted before the encryption are not restored after encryption.

4. Checking for Mutex

The code that was found indicated that the malware tries to open a mutex with a name “Microsoft Corporation” inside the affected machine  If it is not found, the malware creates a new mutex and continues infection.

5. Identifying mounted drives

Once it creates the mutex, the malware starts to encrypt the files by identifying the volumes that are present in the machine. Additionally, it also enumerates mounted drives in the system.

6. ENCRyption

The malware encrypts all the files inside the system volumes but excludes CD-ROM. The malware will encrypt the file with the extension “.putinwillburnunhell” leaving an HTML file in Desktop.

7. Exclusion of certain files and folders from encryption

During the encryption, this ransomware leaves certain folders, files, and certain extensions without encrypting them.

Folders: AppData, Boot, Windows, Windows.old, Tor Browser, Internet Explorer, Google, Opera, Opera Software, Mozilla, Mozilla Firefox, ProgramData, Program Files, and Program Files (x86)

Files : autorun.inf, boot.ini, bootfont.bin, bootsect.bak, bootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db, ntldr, and ntuser.dat

Extensions : putinwillburninhell, .hta, .exe, .dll, .cpl, .ini, .cab, .cur, .drv, .hlp, .icl, .icns, .ico, .idx, .sys, .spl, .ocx

Conclusion

Organizations must strengthen their security measures and keep all the software securities up-to-date.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

SonicWall Firewall Authentication Bypass Vulnerability Exploited in Wild Following PoC Release

A critical authentication bypass vulnerability in SonicWall firewalls, tracked as CVE-2024-53704, is now being actively…

16 hours ago

New Go-Based Malware Exploits Telegram and Use It as C2 Channel

Researchers have identified a new backdoor malware, written in Go programming language, that leverages Telegram…

1 day ago

Beware of Fake BSOD Delivered by Malicious Python Script

A recently discovered Python script has been flagged as a potential cybersecurity threat due to…

1 day ago

Elon Musk’s DOGE Website Database Vulnerability Let Anyone Make Entries Directly

A website launched by Elon Musk's Department of Government Efficiency (DOGE) has been found to…

2 days ago

Lazarus Group Infostealer Malwares Attacking Developers In New Campaign

The notorious Lazarus Group, a North Korean Advanced Persistent Threat (APT) group, has been linked…

2 days ago

XELERA Ransomware Attacking Job Seekers With Weaponized Word Documents

Job seekers have become the target of a sophisticated ransomware campaign in a recent cybersecurity…

2 days ago