RU Ransom appears to be targeting Russian assets in retribution for Russia’s invasion of Ukraine. This malware is developed in .Net and uses AES-CBC with hard-coded salt. It replicates itself on all portable devices, spreading like a worm and mapped network shares under the file name “Россия-Украина_Война-Обновление.doc. exe” which is translated as”Russia-Ukraine_War-Update.doc.exe. in English. After propagating effectively, the malware begins encrypting data. If the designated disc letter is “C:\,”, the files in the folder “C:\Users\” are encrypted. For other detachable and mapped network devices, all files that recursively branch from the root directory are encrypted. The keys are unique for each encrypted file and are not saved, making the encryption irreversible and distinguishing the malware from ransomware variants.