A new kind of ransomware does not want money from the victims, but an application – after the software has encrypted all files, it asks for support of the paramilitary organization Wagner.
security experts from “Cyble” and “PC risk” recently drew attention to a new kind of ransomware. This should “wagner” hot and a modification of the well-known “chaos”- ransomware that has been up to mischief for about two years. “wagner” However, there is one crucial difference: instead of asking for a certain amount of money, as is usual, the developers behind Wagner ask their victims to join Yevgeny Prigozhin’s paramilitary organization.
June 23, 9:37 p.m. The head of the Wagner mercenary group, Yevgeny Prigozhin, is launching an attack on Russia’s capital, Moscow. “We are 25,000″said Yevgeny Prigozhin in a voice message and called “everyone who wants to join us”to “to put an end to the chaos”. The word “Coup” avoided Prigozhin and instead spoke of one “March for Justice”.
The procedure of the software is known. Once on the computer, it encrypts all files on the primary drive. All affected files with the suffix “.Wagner” added. In each folder containing encrypted objects, the ransomware then creates a text file that can be opened with standard tools.
Blackmail virus targets Russian citizens
This is where it gets a bit unusual, because the message it contains is in Russian and is apparently aimed primarily at Russian citizens. This is noteworthy as Russians – or people whose system language is set to Russian – are particularly exempt from many ransomware attacks. Many hacker groups that originate from there spare their own countrymen with their blackmail attempts. Here it is obviously different.
The translated message from the software is as follows: “Official Wagner PMCs recruitment virus. Vacancies. Service in the PMCs Wagner. For Cooperation: The Channel is not intended for inciting, persuading, soliciting or otherwise engaging any person in the commission of any illegal activity. Brethren, stop tolerating power! We’re going to war against Shoigu. Greetings from Prigozhin!”
Also included are two Russian phone numbers that have been used in the past when recruiting new Wagner members. There is also a link to a PMC telegram group.
Origin unknown, maybe a joke
“Cyble” stresses that the paramilitary organization has not yet claimed responsibility for the ransomware and therefore does not know who it came from. However, Russia was identified as the source, from where the ransomware spread to the Google service “virus total” has been uploaded.
Overall, the software makes a strange impression – because if someone actually gets infected with it, the attached file does not contain any information on who to contact in order to be able to decrypt the affected files again. Normally, however, this is the basis of the ransomware, since otherwise the encryption would not make any sense.
Security expert Brett Callow was critical of this on Twitter “Wagner virus”. He wrote: “As far as I can see there is no evidence that the Wagner ransomware was actually used in Russia or anywhere else. All we have is an example that someone – maybe the same person who created it – uploaded to ‘Virustotal’. Maybe just for fun.”
