Ransomware attacks have been increasing rapidly. The Two countries Ukraine and Russia have been facing severe ransomware attacks in the past few weeks. Many were state-sponsored but some were personal.
But this attack was something no one would’ve imagined about. Ransomware is being spread recently but it has a different motto. Instead of traditional ransomware which only asks for money to decrypt, this one asks to “Stop the War”.
Unlike other ransomware which leaves a .txt file that will contain the information for the payout and BTC wallet address, this ransomware leaves a .html file that reads as “RUSSKIJ VOENNIJ KORABL IDI NAHUJ” which translates as “RUSSIAN WARSHIP GO F**K”. This ransomware encrypts the files with an extension “.putinwillburnunhell”.
Researchers at Cyble conducted an OSINT (Open Source Intelligence) analysis on the samples which discovered that this ransomware originated from Poland. They also discovered that this malware might be targeted at Russia.
The malware has an hash value “9f3c1668ee44bfcd1afd599215f5bd73c76609776b78cb04bb6ef1121cc80d37” . The malware has x64 architecture which was written in C/C++ and dates back to 2022-03-04 at 15:17:53. The working process of the malware has different stages as stated by Cyble.
Once the malware is deployed, it first changes the process priority to zero. This is done by calling the SetProcessShutdownParameters() API. It ensures that the process of this malware is terminated only when the system hits shutdown which increases the time duration for the execution in the victim machine.
2. Establishing a Connection to the Service Database
In order to identify the services that are running in the system, it uses the OpenSCManagerA() API which establishes a connection between the malware and the service control manager database. After getting connected, it terminates the services running on the system which include Memtas, SQL, VSS, mepocs etc.
3. Terminating active processes
Along with services, it also checks for processes running on the system such as oracle.exe, ocssd.exe, dbsnmap.exe, synctime.exe etc.,
Additionally, the malware calls the SHEmptyRecycleBinA() API for emptying the Recycle Bin to ensure files that were deleted before the encryption are not restored after encryption.
4. Checking for Mutex
5. Identifying mounted drives
Once it creates the mutex, the malware starts to encrypt the files by identifying the volumes that are present in the machine. Additionally, it also enumerates mounted drives in the system.
The malware encrypts all the files inside the system volumes but excludes CD-ROM. The malware will encrypt the file with the extension “.putinwillburnunhell” leaving an HTML file in Desktop.
7. Exclusion of certain files and folders from encryption
During the encryption, this ransomware leaves certain folders, files, and certain extensions without encrypting them.
Folders: AppData, Boot, Windows, Windows.old, Tor Browser, Internet Explorer, Google, Opera, Opera Software, Mozilla, Mozilla Firefox, ProgramData, Program Files, and Program Files (x86)
Files : autorun.inf, boot.ini, bootfont.bin, bootsect.bak, bootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db, ntldr, and ntuser.dat
Extensions : putinwillburninhell, .hta, .exe, .dll, .cpl, .ini, .cab, .cur, .drv, .hlp, .icl, .icns, .ico, .idx, .sys, .spl, .ocx
Organizations must strengthen their security measures and keep all the software securities up-to-date.
In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…
Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…
The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…
In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…
A recent campaign has been observed to be delivering DJvu ransomware through a loader that…
In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…