Bruhnet Ransomware Uses Xorist Code


Bruhnet ransomware is a new ransomware strain that was spotted in the wild in mid-September 2022. The new variant belongs to the family of Xorist ransomware clones.

Bruhnet behaves like all recent Xorist clones. It will encrypt files on the targeted system, leaving their contents scrambled and unreadable. The ransomware appends just the ".bruhnet" string to encrypted file names. This process will turn a file called "document.txt" into "document.txt.bruhnet".

The Bruhnet ransomware targets document, media, archive and database file types, leaving files essential to the operation of Windows untouched.

The ransom note is contained in a file named "КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt", which is Russian for "how to decrypt files", implying a Russian-speaking threat actor. The full contents of the ransom note go as follows:

Attention! All your files are encrypted!

To restore your files and access them,

send an SMS with the text - to the User Telegram @rainfall666

You have 1 attempts to enter the code. If this

amount is exceeded, all data will irreversibly deteriorate. Be

careful when entering the code!

Glory @bruhnet

The Bruhnet ransomware will also change the system wallpaper to an image depicting a skull and containing large text that spells out the name of the ransomware.

September 16, 2022