New Ransomware Variant Recruit users for Russian Wagner Group

New Ransomware Variant Recruit users for Russian Wagner Group. Recently, the cybersecurity researchers at Cyble Research and Intelligence Labs (CRIL) identified a new ransomware which is a variant of Chaos ransomware dubbed “Wagner.”

While analyzing, security analysts discovered that the ransom note from this ransomware doesn’t ask for money but encourages users to join PMC Wagner.

The ransom note urges war on Shoigu, the notable Russian politician and military officer currently serving as Russia’s Minister of Defence since 2012.

Content of the Ransom Note

The opening sentence of the ransom note states:-

“Official Wagner PMCs Employment Virus”

content
Wagner Ransom Note (Source- Cyble)

The ransom note matches WAGNER GROUP Telegram channel’s bio section details. Wagner Group, also called PMC Wagner, is a Russian paramilitary force.

wagner
Telegram Channel of Wagner Group (Source- Cyble)

A private military company consisting of mercenaries, deemed as a de facto private army associated with Yevgeny Prigozhin, a former ally of Russian President Vladimir Putin.

Wagner group hasn’t officially claimed responsibility for this ransomware, leaving the culprits of this variant unidentified.

Cybersecurity experts assumed that the operators of this ransomware mainly target the victims located in Russia since the ransom note is written in Russian.

notepad
A ransom note was written in Russian (Source – Cyble)

Ransomware Variant that Recruits

Wagner ransomware, a 32-bit binary designed for Windows, activates various variables upon execution to control its operations.

analysis
File details (Source – Cyble)

The ransomware checks running processes to prevent multiple instances and terminates itself if it finds a duplicate process, achieved through the GetProcesses() method.

code
Running a Single Instance (Source – Cyble)

The ransomware binary evaluates the “checkSleep” flag. If true, it confirms execution from the %APPDATA% folder; otherwise, it enters a sleep mode as directed by the Threat Actor.

The ransomware binary strives for Persistence and Privilege Escalation using designated flag variables of the threat actors, with “checkAdminPrivilage” determining the attempt.

For persistence, it duplicates as “svchost.exe” in the startup folder, terminates the current instance, and recursively attempts to run the copied file with elevated privileges using the run as a command.

When “checkAdminPrivilage” is false, the ransomware examines “checkCopyRoaming” to determine whether to solely include its binary in the startup folder for persistence.

code - 1
Persistence & Privilege Escalation (Source – Cyble)

Next, the ransomware utilizes DriveInfo.GetDrives() to fetch drive types, encrypting all directories on the drives while exempting specific ones on the “C” drive.

Directories Targeted in C Drive

Here below we have mentioned all the directories targeted in C drive:-

  • Links
  • Contacts
  • Downloads
  • OneDrive
  • Saved Games
  • Favorites
  • Searches
  • Videos
  • C:\Users\Username\AppData\Roaming
  • C:\Users\Public\Documents
  • C:\Users\Public\Pictures
  • C:\Users\Public\Music
  • C:\Users\Public\Videos
  • C:\Users\Public\Desktop

For files over about 200MB, Wagner ransomware generates a distinct set of random bytes, ranging from 200MB to 300 MB. Similar to the previous case, these bytes are stored in Base-64 format within the file, rendering them entirely unusable.

The ransomware uses the AES algorithm to create a unique key for file encryption. After encrypting the file, the ransomware employs the RSA algorithm to encrypt the AES key. 

The encrypted key, enclosed by “<EncryptedKey>” tags, and the Base64 encoded RSA key is saved within the file. Wagner ransomware propagates via removable media, collecting information on logical drives through DriveInfo.GetDrives(). 

While it duplicates itself as “surprise.exe” on all drives, except for the “C” drive. Post-encryption, the ransomware adds the “.Wagner” extension to renamed files. The encrypted files and the ransom note “Wagner.txt” are left in each directory.

Here below we have mentioned all the recommendations offered by the cybersecurity researchers at Cyble:-

  • Make sure to avoid downloading pirated software.
  • Prior to downloading files, ensure the source’s credibility and authenticity.
  • Secure data backups across multiple locations and establish Business Continuity Planning (BCP).
  • Regularly conduct audits, vulnerability assessments, and penetration tests on organizational assets.
  • Make sure to use VPN for a secure connection.
  • Make sure to regularly train company employees to enhance security awareness and keep them informed about emerging threats.
  • Make sure to use a robust security solution to analyze ransomware-malware behavior, block malicious payloads, and counter severe cyber attacks.
  • Before conducting any cryptocurrency transaction, carefully verify wallet addresses to prevent errors during the copy-paste process.
  • Securely store and encrypt wallet seeds on any device for enhanced protection.

“AI-based email security measures Protect your business From Email Threats!” – .

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.