New Ransomware families added to the Attack Arsenal

Three new variants of ransomware families were identified by the researchers from Fortinet’s FortiGuard Labs. The names are called out to be Vohuk, ScareCrow, and AESRT, targeting Windows systems and appearing to be proliferating relatively rapidly on systems belonging to users in multiple countries.

Fortinet’s analysis did not identify the modus of Operandi of the new ransomware samples distributing their malware, but it noted that phishing email has typically been the most common vector for ransomware infections.

Advertisements

The Vohuk ransomware variant that was analyzed appeared to be in its third iteration, indicating that its authors are actively developing it. The malware drops a ransom note, “README.txt,” on compromised systems that asks victims to contact the attacker via email with a unique ID. The note informs the victim that the attacker is not politically motivated but is only interested in financial gain — presumably, to reassure victims they would get their data back if they paid the demanded ransom.

The ScareCrow is another typical ransomware that encrypts files on victim’s machines, its ransom note, also entitled ‘readme.txt,’ contains three Telegram channels that victims can use to speak with the attacker. Though the ransom note does not contain any specific financial demands, it’s safe to assume that victims will need to pay a ransom to recover files that were encrypted.

Researchers found some overlap between ScareCrow and the Conti ransomware variant, one of the most prolific ransomware tools ever. Both, for instance, use the same algorithm to encrypt files, and just like Conti, ScareCrow deletes shadow copies using the WMI command line utility (wmic) to make data irrecoverable on infected systems. ScareCrow has infected systems in the United States, Germany, Italy, India, the Philippines, and Russia.