In February, Russian small and medium-sized businesses (SMBs) faced a new threat – the PE32 ransomware. This new ransomware family received a name similar to the official format of PE32 executable files (Portable Executable).
What is known about PE32?
- Goal: extortion of funds for data decryption.
- Victims: Russian small and medium-sized businesses.
- Ransom amount: from 500 to 150,000 US dollars in bitcoins.
- Initial attack vector: compromised remote access services.
- Encryption technology: three rounds of encryption using post-quantum cryptography.
- Contact with extortionists: via email and Telegram.
- Feature: attackers do not steal the victim's data.
PE32 is one of the first ransomware programs to use the post-quantum cryptography standard. It is developed in Rust and uses advanced encryption methods, making it one of the most complex threats to businesses. During the analysis, the first uploaded versions of this ransomware were identified – 4.0.1 and 4.1.1, which appeared in VirusTotal as early as January 4, 2025.
Growth of attacks by Eastern groups
Since 2022, Russia has experienced a sharp increase in ransomware attacks. They are mainly carried out by pro-Ukrainian cyber gangs and groups with Middle Eastern roots. Some of these groups were initially associated with Persian speakers, which gave rise to the term "Persian ransomware."
Persian extortionists attack organizations worldwide. Among the most active Eastern partner programs in Russia are Mimic, Proton/Shinra, Proxima, Enmity/Mammon, LokiLocker/BlackBit, RCRU64, HardBit, Sauron, TeslaRVNG and others.
During 2024, Eastern cybercriminal groups significantly developed their technologies:
- They expanded attacks on Linux systems, previously focusing only on Windows.
- In August 2024, a new version of Enmity appeared – the Mammon program, which uses two-pass encryption.
- In February 2025, PE32 was first recorded – the first Persian ransomware in Rust.
The use of Rust has become a new trend among malware developers. This allowed them to create cross-platform ransomware that can attack not only Windows but also Linux servers. However, PE32 is not the first ransomware in Rust used in Russia. A year ago, Muliaka was discovered, which was used to attack ESXi servers.
Now on home
Герой России Гарнаев: никто из профессионалов о возобновлении производства на КАЗ всерьёз не говорит
Система отслеживает спутники на высотах до 50 000 км и ведёт за ними наблюдение
The armored vehicle is equipped with a KamAZ-740.35-400 diesel engine with a power of 400 hp.
Constant improvements in avionics, weapons and tactical capabilities will make the aircraft a flexible response to future challenges
The exterior of the KamAZ-54901 features fairings on the cab and chassis for fuel economy
Fighters are in demand both domestically and abroad
Tyazhpromexport and Venezuela Agree on Plant Revival
The company not only completed the state order, but also quickly mastered the production of AK-12K for special forces
Experts have developed a photogrammetric complex with a resolution of less than 1 cm
