Three new variants of ransomware families were identified by the researchers from Fortinet’s FortiGuard Labs. The names are called out to be Vohuk, ScareCrow, and AESRT, targeting Windows systems and appearing to be proliferating relatively rapidly on systems belonging to users in multiple countries.
Fortinet’s analysis did not identify the modus of Operandi of the new ransomware samples distributing their malware, but it noted that phishing email has typically been the most common vector for ransomware infections.
The Vohuk ransomware variant that was analyzed appeared to be in its third iteration, indicating that its authors are actively developing it. The malware drops a ransom note, “README.txt,” on compromised systems that asks victims to contact the attacker via email with a unique ID. The note informs the victim that the attacker is not politically motivated but is only interested in financial gain — presumably, to reassure victims they would get their data back if they paid the demanded ransom.
The ScareCrow is another typical ransomware that encrypts files on victim’s machines, its ransom note, also entitled ‘readme.txt,’ contains three Telegram channels that victims can use to speak with the attacker. Though the ransom note does not contain any specific financial demands, it’s safe to assume that victims will need to pay a ransom to recover files that were encrypted.
Researchers found some overlap between ScareCrow and the Conti ransomware variant, one of the most prolific ransomware tools ever. Both, for instance, use the same algorithm to encrypt files, and just like Conti, ScareCrow deletes shadow copies using the WMI command line utility (wmic) to make data irrecoverable on infected systems. ScareCrow has infected systems in the United States, Germany, Italy, India, the Philippines, and Russia.
The AESRT, the third new ransomware family that was spotted in the wild, has functionality that’s like the other two threats. The main difference is that instead of leaving a ransom note, the malware delivers a popup window with the attacker’s email address and a field that displays a key for decrypting encrypted files once the victim has paid up the demanded ransom.
Indicators Of Compromise