Cyber Security News

A New AntiWar Ransomware That Sends out a Message to Stop the War Instead of Ransom

Ransomware attacks have been increasing rapidly. The Two countries Ukraine and Russia have been facing severe ransomware attacks in the past few weeks. Many were state-sponsored but some were personal.

But this attack was something no one would’ve imagined about. Ransomware is being spread recently but it has a different motto. Instead of traditional ransomware which only asks for money to decrypt, this one asks to “Stop the War”.

Unlike other ransomware which leaves a .txt file that will contain the information for the payout and BTC wallet address, this ransomware leaves a .html file that reads as “RUSSKIJ VOENNIJ KORABL IDI NAHUJ” which translates as “RUSSIAN WARSHIP GO F**K”. This ransomware encrypts the files with an extension “.putinwillburnunhell”.

Researchers at Cyble conducted an OSINT (Open Source Intelligence) analysis on the samples which discovered that this ransomware originated from Poland. They also discovered that this malware might be targeted at Russia.

Technical Details

The malware has an hash value “9f3c1668ee44bfcd1afd599215f5bd73c76609776b78cb04bb6ef1121cc80d37” . The malware has x64 architecture which was written in C/C++ and dates back to 2022-03-04 at 15:17:53. The working process of the malware has different stages as stated by Cyble.

  1. Changing Priority
  2. Identifying the services running
  3. Terminating active processes
  4. Checking for a Mutex
  5. Identifying mounted drives
  6. Encryption
  7. Exclusion of certain files and folders from encryption
  1. Changing Priority

Once the malware is deployed, it first changes the process priority to zero. This is done by calling the SetProcessShutdownParameters() API. It ensures that the process of this malware is terminated only when the system hits shutdown which increases the time duration for the execution in the victim machine.

2. Establishing a Connection to the Service Database

In order to identify the services that are running in the system, it uses the OpenSCManagerA() API which establishes a connection between the malware and the service control manager database. After getting connected, it terminates the services running on the system which include Memtas, SQL, VSS, mepocs etc.

3. Terminating active processes

Along with services, it also checks for processes running on the system such as oracle.exe, ocssd.exe, dbsnmap.exe, synctime.exe etc.,

Additionally, the malware calls the SHEmptyRecycleBinA() API for emptying the Recycle Bin to ensure files that were deleted before the encryption are not restored after encryption.

4. Checking for Mutex

The code that was found indicated that the malware tries to open a mutex with a name “Microsoft Corporation” inside the affected machine  If it is not found, the malware creates a new mutex and continues infection.

5. Identifying mounted drives

Once it creates the mutex, the malware starts to encrypt the files by identifying the volumes that are present in the machine. Additionally, it also enumerates mounted drives in the system.

6. ENCRyption

The malware encrypts all the files inside the system volumes but excludes CD-ROM. The malware will encrypt the file with the extension “.putinwillburnunhell” leaving an HTML file in Desktop.

7. Exclusion of certain files and folders from encryption

During the encryption, this ransomware leaves certain folders, files, and certain extensions without encrypting them.

Folders: AppData, Boot, Windows, Windows.old, Tor Browser, Internet Explorer, Google, Opera, Opera Software, Mozilla, Mozilla Firefox, ProgramData, Program Files, and Program Files (x86)

Files : autorun.inf, boot.ini, bootfont.bin, bootsect.bak, bootmgr, bootmgr.efi, bootmgfw.efi, desktop.ini, iconcache.db, ntldr, and ntuser.dat

Extensions : putinwillburninhell, .hta, .exe, .dll, .cpl, .ini, .cab, .cur, .drv, .hlp, .icl, .icns, .ico, .idx, .sys, .spl, .ocx

Conclusion

Organizations must strengthen their security measures and keep all the software securities up-to-date.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

New Device Code Phishing Attack Exploit Device Code Authentication To Capture Authentication Tokens

A sophisticated phishing campaign, identified by Microsoft Threat Intelligence, has been exploiting a technique known…

34 minutes ago

RedMike Hackers Exploited 1000+ Cisco Devices to Gain Admin Access

Researchers observed a sophisticated cyber-espionage campaign led by the Chinese state-sponsored group known as "Salt…

2 hours ago

AMD Ryzen DLL Hijacking Vulnerability Let Attackers Execute Arbitrary Code

A high-severity security vulnerability, identified as CVE-2024-21966, has been discovered in the AMD Ryzen™ Master…

3 hours ago

PostgreSQL Terminal Tool Injection Vulnerability Allows Remote Code Execution

Researchers have uncovered a high-severity SQL injection vulnerability, CVE-2025-1094, affecting PostgreSQL’s interactive terminal tool, psql. …

3 hours ago

WinZip Vulnerability Let Remote Attackers Execute Arbitrary Code

A newly disclosed high-severity vulnerability in WinZip, tracked as CVE-2025-1240, enables remote attackers to execute…

7 hours ago

Hackers Actively Exploiting New PAN-OS Authentication Bypass Vulnerability

Palo Alto Networks has released a patch for a high-severity authentication bypass vulnerability, identified as…

8 hours ago