A new ransomware called Wagner infects users’ devices and invites them to join the Russian private military company (PMC) Wagner, the same one that recently attempted an armed insurgency in Russia.
Cyble researchers believe that the newly discovered program is aimed specifically at the Russians. Instead of asking for money to decrypt files, ransomware demands that their victims join the ranks of PMCs.
“Official virus for employment in PMC Wagner”, such an inscription in Russian flaunts in a ransom note posted on victims’ devices.
The same note also contains some illegal calls to action.
The Cyble researchers said in their report that “the Wagner group has not officially declared its involvement in this ransomware.” Therefore, the individuals responsible for this particular strain could be anyone.
The Wagner malware instance analyzed by experts appears to be a variant of the Chaos ransomware, which also evolved from another infamous ransomware called Ryuk.
When launched, the program initializes various variables that determine its execution, and also scans the list of running processes for the presence of processes of the same name in order to prevent multiple instances of the ransomware from running at the same time.
Then the process raises its system privileges and is written to Windows startup. After that, the encryption process itself begins, which affects only user folders on the system drive: desktop, downloads, image, music, video, documents, OneDrive, Roaming in AppData, etc.
In total, Wagner detects and encrypts about 230 user file extensions. After encryption, all files receive the “.Wagner” extension.
Data on other drives installed on the computer is not encrypted by the malware, although it distributes to them, including removable media, the file “surprise.exe“, which is a copy of the main program.
Given the fact that the real Wagner PMC has not confirmed its involvement in the malware, and there are no payment details for paying the ransom, the victim will not be able to restore his files in any way, even if he really wants to. Based on this, the extortionist can rightly be classified as a viper.
Let me also remind you that the media reported that Microsoft discovered the WhisperGate wiper attacking Ukrainian users.
Experts recommend regularly backing up important data and storing it on other devices or in secure clouds. So, even if the malware encrypts your data, such an attack will not be able to affect you in any way.
