Security researchers have discovered a ransomware attack that tries to drive recruitment to the Russian mercenary group Wagner, which briefly rebelled against the Kremlin this past weekend.
The ransomware is designed to target Windows PCs and will drop a note that implies victims should consider joining the paramilitary group, according(Opens in a new window) to security firm Cyble.
“Job opening. Service in the PMCS Wagner. For cooperation,” the note says, later adding: “Brothers, stop tolerating authority! Let’s go to war against Shoigu!”—a reference to the military general under Russian President Vladimir Putin.
(Credit: Cyble)
The note is written in Russian, suggesting the ransomware was made to hit computers in the country. Cyble also noticed the attack after a sample of the ransomware was uploaded to VirusTotal(Opens in a new window) from a user in Russia. The same note includes a real phone number for Wagner’s recruitment offices in Moscow alongside the words, “if you want to go against the officials!”
The ransomware appeared this past weekend right as Wagner’s leader, Yevgeny Prigozhin, ordered his troops to march to Moscow in an effort to remove Shoigu from Russia’s Ministry of Defense. Hours later, Prigozhin called off the armed revolt while accepting a deal that’ll effectively exile him to Belarus.
It’s not clear who created the ransomware strain. Wagner hasn’t claimed responsibility for the malicious code. It also appears the attack was created using the Chaos(Opens in a new window) ransomware building tool, which first emerged in underground forums.
Interestingly, though, while the attack will encrypt various files on a Windows PC, the dropped ransom note makes no demand for the victim to pay up. So it looks like the attack can permanently ruin files on an infected PC.
Recommended by Our Editors
(Credit: Any.Run)
Cyble concluded: “The individual behind the ransomware strain could be politically motivated and supports Wagner Group.” However, Allan Liska, a security researcher at Recorded Future, suspects the actual intent may be different.
“Installing a ransomware/wiper on someone’s machine is a poor way to recruit them,” Liska said in a tweet(Opens in a new window). “On the other hand, if you are a hacktivist group, say one that has used ransomware based on the Chaos builder in the past, that wants to get people mad at a certain group, this is a good way to do it.”
How the Wagner ransomware spreads also remains unclear. But currently, most antivirus programs will detect the attack as malicious, according(Opens in a new window) to VirusTotal.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Hits: 0
