In a strange twist of events, Wagner Group has claimed to attack Russia in a new ransomware campaign. Using what has been dubbed a new strain of ransomware, the Wagner Group has attacked Russia in what appears to be an attempt to recruit more people to the Russian mercenary group.
According to researchers, this variant of Chaos ransomware dropped a ransom note that urged the victims to join PMC Wagner, the Russian mercenary group currently at loggerheads with the country’s administration.
However, threat researcher Brett Callow suspects whether this “Wagner ransomware” has actually been deployed in Russia or anywhere else.Â
Wagner Group, officially known as PMC Wagner, is a Russian state-sponsored group of mercenaries operating beyond Russia’s laws.Â
Wagner Group attacks Russia: Insights provided by Cyble
During their investigation, researchers at Cyble discovered that the Wagner Group, a notorious paramilitary organization, has not claimed responsibility for the recent ransomware attacks in Russia.
This has led to speculation about the actual perpetrators and their motives for targeting Russian computers.
Cyble’s Research and Intelligence Labs (CRIL) stated in a blog post that the ransomware used in the attacks is a variant of Chaos ransomware.
“This ransomware is a variant of Chaos ransomware. During our analysis, we found that the ransom note dropped by this ransomware, instead of demanding money, urges users to join the PMC Wagner,” said the blog post.
“The ransom note includes a call to wage war against Shoigu. Sergei Kuzhugetovich Shoigu is a prominent Russian politician and military officer, serving as the Minister of Defence of Russia since 2012.”
The content of the ransom note aligns with the information found in the bio section of the WAGNER GROUP Telegram channel, as shown below.
Furthermore, the ransomware sample analyzed by CRIL was submitted to VirusTotal from Russia, and the ransom note itself was written in Russian. These findings indicate that the primary targets of this ransomware campaign are Russian netizens.
CRIL has reported on this malware strain, which is based on a variant of Chaos ransomware. Their comprehensive report highlights the Wagner Group’s attack on Russia as a means to promote PMC Wagner.
Additionally, Cyble has uncovered that the ransom note includes a phone number for Wagner’s recruitment offices in Moscow, accompanied by the statement, “If you want to go against the officials!”
However, Brett Callow, Threat Intelligence Analyst at Emisoft, suspected that it’s a bogus campaign.
“AFAIK, there is no evidence that #Wagner #ransomware has actually been deployed in Russia or, for that matter, anywhere else. All we have is a sample that somebody – perhaps the same person who created it – uploaded to VT, possibly just for lulz,” he tweeted.
Wagner Group Attacks Russia: Unveiling the Malware Involved
The alleged attacks carried out by the Wagner Group in Russia through a new ransomware campaign have raised significant concerns regarding their implications and consequences.
Not only do these attacks compromise the security and integrity of computer systems in Russia, but they also serve as a disturbing recruitment tool for the controversial paramilitary organization.
The threat actor behind the attacks employs a new strain of ransomware that not only encrypts victims’ files but also coerces them into joining the Wagner Group, following the paramilitary group’s recent rebellion against the Kremlin.
According to research by PC Risk, the Wagner malware encrypts files and demands a ransom, appending a “.WAGNER” extension to each locked file. The ransom note emphasizes the Wagner Group’s rebellion against the Russian government.
Upon execution, the ransomware initiates various variables to control its behavior. One crucial task involves checking for existing instances of the ransomware by comparing the list of currently running processes and their names. If a match is found, the ransomware terminates to avoid simultaneous execution of multiple instances.
Next, the ransomware verifies the “checkSleep” variable. If set to true, the ransomware confirms whether it runs from a specific folder (%APPDATA%). If not, it enters a sleep mode for a specified period, determined by the attacker.
Subsequently, the ransomware attempts to achieve persistence and escalate privileges based on specific flag variables defined by the attacker. If the “checkAdminPrivilage” flag is true, the ransomware seeks persistence and elevated privileges by creating a copy of itself named “svchost.exe” in the system’s startup folder.
It then terminates the current instance and recursively executes the copied file with elevated privileges.
In cases where the value of “checkAdminPrivilage” is false, the ransomware checks the status of the “checkCopyRoaming” variable. If true, the ransomware solely adds its binary to the startup folder for persistence.
Furthermore, the ransomware incorporates an additional persistence mechanism depending on the value of the “checkStartupFolder” variable. When set to true, the ransomware creates a shortcut file in the startup folder, pointing to its location. As a result, the ransomware is automatically executed upon system startup
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
