New Ransomware Variant Recruit users for Russian Wagner Group. Recently, the cybersecurity researchers at Cyble Research and Intelligence Labs (CRIL) identified a new ransomware which is a variant of Chaos ransomware dubbed “Wagner.”
While analyzing, security analysts discovered that the ransom note from this ransomware doesn’t ask for money but encourages users to join PMC Wagner.
The ransom note urges war on Shoigu, the notable Russian politician and military officer currently serving as Russia’s Minister of Defence since 2012.
The opening sentence of the ransom note states:-
“Official Wagner PMCs Employment Virus”
The ransom note matches WAGNER GROUP Telegram channel’s bio section details. Wagner Group, also called PMC Wagner, is a Russian paramilitary force.
A private military company consisting of mercenaries, deemed as a de facto private army associated with Yevgeny Prigozhin, a former ally of Russian President Vladimir Putin.
Wagner group hasn’t officially claimed responsibility for this ransomware, leaving the culprits of this variant unidentified.
Cybersecurity experts assumed that the operators of this ransomware mainly target the victims located in Russia since the ransom note is written in Russian.
Wagner ransomware, a 32-bit binary designed for Windows, activates various variables upon execution to control its operations.
The ransomware checks running processes to prevent multiple instances and terminates itself if it finds a duplicate process, achieved through the GetProcesses() method.
The ransomware binary evaluates the “checkSleep” flag. If true, it confirms execution from the %APPDATA% folder; otherwise, it enters a sleep mode as directed by the Threat Actor.
The ransomware binary strives for Persistence and Privilege Escalation using designated flag variables of the threat actors, with “checkAdminPrivilage” determining the attempt.
For persistence, it duplicates as “svchost.exe” in the startup folder, terminates the current instance, and recursively attempts to run the copied file with elevated privileges using the run as a command.
When “checkAdminPrivilage” is false, the ransomware examines “checkCopyRoaming” to determine whether to solely include its binary in the startup folder for persistence.
Next, the ransomware utilizes DriveInfo.GetDrives() to fetch drive types, encrypting all directories on the drives while exempting specific ones on the “C” drive.
Here below we have mentioned all the directories targeted in C drive:-
For files over about 200MB, Wagner ransomware generates a distinct set of random bytes, ranging from 200MB to 300 MB. Similar to the previous case, these bytes are stored in Base-64 format within the file, rendering them entirely unusable.
The ransomware uses the AES algorithm to create a unique key for file encryption. After encrypting the file, the ransomware employs the RSA algorithm to encrypt the AES key.
The encrypted key, enclosed by “<EncryptedKey>” tags, and the Base64 encoded RSA key is saved within the file. Wagner ransomware propagates via removable media, collecting information on logical drives through DriveInfo.GetDrives().
While it duplicates itself as “surprise.exe” on all drives, except for the “C” drive. Post-encryption, the ransomware adds the “.Wagner” extension to renamed files. The encrypted files and the ransom note “Wagner.txt” are left in each directory.
Here below we have mentioned all the recommendations offered by the cybersecurity researchers at Cyble:-
“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.
We're currently living in an age where digital threats loom large. Among these, ransomware has…
Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ…
Media reports highlight the sale of LLMs like WormGPT and FraudGPT on underground forums. Fears…
An open-source security scanner, developed by Git Hub user Adam Swanda, was released to explore…
One of Slovenia's major power providers, HSE, has recently fallen victim to a significant cyberattack.…
In the labyrinthine landscape of cyber threats, the Trend Micro Managed XDR team has uncovered…