(Photo by Vlad Karkov/SOPA Images/LightRocket via Getty Images)
Security researchers have discovered a ransomware attack that tries to drive recruitment to the Russian mercenary group Wagner, which briefly rebelled against the Kremlin this past weekend.
The ransomware is designed to target Windows PCs and will drop a note that implies victims should consider joining the paramilitary group, according to security firm Cyble.
“Job opening. Service in the PMCS Wagner. For cooperation,” the note says, later adding: “Brothers, stop tolerating authority! Let's go to war against Shoigu!”—a reference to the military general under Russian President Vladimir Putin.
The note is written in Russian, suggesting the ransomware was made to hit computers in the country. Cyble also noticed the attack after a sample of the ransomware was uploaded to VirusTotal from a user in Russia. The same note includes a real phone number for Wagner’s recruitment offices in Moscow alongside the words, “if you want to go against the officials!”
The ransomware appeared this past weekend right as Wagner’s leader, Yevgeny Prigozhin, ordered his troops to march to Moscow in an effort to remove Shoigu from Russia’s Ministry of Defense. Hours later, Prigozhin called off the armed revolt while accepting a deal that’ll effectively exile him to Belarus.
It's not clear who created the ransomware strain. Wagner hasn’t claimed responsibility for the malicious code. It also appears the attack was created using the Chaos ransomware building tool, which first emerged in underground forums.
Interestingly, though, while the attack will encrypt various files on a Windows PC, the dropped ransom note makes no demand for the victim to pay up. So it looks like the attack can permanently ruin files on an infected PC.
Cyble concluded: “The individual behind the ransomware strain could be politically motivated and supports Wagner Group.” However, Allan Liska, a security researcher at Recorded Future, suspects the actual intent may be different.
“Installing a ransomware/wiper on someone's machine is a poor way to recruit them,” Liska said in a tweet. “On the other hand, if you are a hacktivist group, say one that has used ransomware based on the Chaos builder in the past, that wants to get people mad at a certain group, this is a good way to do it.”
How the Wagner ransomware spreads also remains unclear. But currently, most antivirus programs will detect the attack as malicious, according to VirusTotal.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
