New RURansom Wiper Targets Russia

Trend Micro -

Other versions also attempt to start the process with elevated privileges. These different versions and modifications might indicate that the malware was still undergoing development at the time of writing.

Other activities from the same author

Aside from RURansom, the developer appears to have been working on another “wiper” dubbed as “dnWipe.” Its payload is executed every Tuesday.

We analyzed dnWipe and found that it simply encodes content in base64 for the following file extensions: .doc, .docx, .png, .gif, .jpeg, .jpg, .mp4, .txt, .flv, .mp3, .ppt, .pptx, .xls, and .xlsx. Therefore, just as RURansom is not really a ransomware variant, dnWipe also cannot be classified as an example of a wiper malware because its encoding can be decoded easily.

Other binaries that we can attribute with high confidence to the same developer indicate their other interests. For one, they have also compiled a downloader for an XMRig binary, showing an inclination for cryptocurrency mining.


No one can be indifferent to the conflict between Ukraine and Russia. People all over the world are actively taking sides, and malware developers are no exception.

As this blog entry shows, the exchange of attacks in cyberspace is reflective of this conflict: Leaks have

Read More: