files locked
“We’re going to war against Shoigu!” – Hackers advertise PMC Wagner with blackmail software
The skull in the crosshairs is the insignia of the Wagner Group paramilitary organization.
© Valentin Sprinchak/TASS/AP
A new kind of ransomware does not want money from the victims, but an application – after the software has encrypted all files, it asks for support of the paramilitary organization Wagner.
security experts from “Cyble” and “PC risk” recently drew attention to a new type of ransomware. This is said to be called “Wagner” and a modification of the well-known “Chaos” blackmailer software, which has been up to mischief for around two years. “Wagner” has one crucial difference, however: instead of the usual asking for a certain amount of money, the developers behind Wagner urge their victims to join Yevgeny Prigozhin’s paramilitary organization.
rebellion in pictures
The Wagner troops are directed against the government in Moscow – chronicle of a canceled uprising
The procedure of the software is known. Once on the computer, it encrypts all files on the primary drive. When it is finished, all affected files are appended with the suffix “.Wagner”. In each folder containing encrypted objects, the ransomware then creates a text file that can be opened with standard tools.
Blackmail virus targets Russian citizens
This is where it gets a bit unusual, because the message it contains is in Russian and is apparently aimed primarily at Russian citizens. This is noteworthy as Russians – or people whose system language is set to Russian – are particularly exempt from many ransomware attacks. Many hacker groups that originate from there spare their own countrymen with their blackmail attempts. Here it is obviously different.
The translated message of the software reads as follows: “Official Wagner PMCs recruitment virus. Vacancies. Service in the PMCs Wagner. For cooperation: The channel is not intended for hate speech, persuasion, solicitation or any other involvement of people in the commission of illegal acts. Brothers, stop tolerating power! We are going to war against Shoigu. Greetings from Prigozhin!”
Also included are two Russian phone numbers that have been used in the past when recruiting new Wagner members. There is also a link to a PMC telegram group.
Origin unknown, maybe a joke
“Cyble” emphasizes that the paramilitary organization has not yet claimed responsibility for the ransomware and therefore does not know who it came from. However, Russia could be identified as the source, from where the ransomware was uploaded to the Google service “Virustotal”.
Overall, the software makes a strange impression – because if someone actually gets infected with it, the attached file does not contain any information on who to contact in order to be able to decrypt the affected files again. Normally, however, this is the basis of the ransomware, since otherwise the encryption would not make any sense.
Security expert Brett Callow was critical of this “Wagner virus” on Twitter. He wrote: “As far as I can see there is no evidence that the Wagner ransomware was actually deployed in Russia or anywhere else. All we have is an example that someone – maybe the same person who created it – uploaded to Virustotal. Possibly just for fun.”