September 22, 2023

Three new variants of ransomware families were identified by the researchers from Fortinet’s FortiGuard Labs. The names are called out to be  Vohuk, ScareCrow, and AESRT, targeting Windows systems and appearing to be proliferating relatively rapidly on systems belonging to users in multiple countries.

Fortinet’s analysis did not identify the modus of Operandi of the new ransomware samples distributing their malware, but it noted that phishing email has typically been the most common vector for ransomware infections.

Advertisements

The Vohuk ransomware variant that was analyzed appeared to be in its third iteration, indicating that its authors are actively developing it. The malware drops a ransom note, “README.txt,” on compromised systems that asks victims to contact the attacker via email with a unique ID. The note informs the victim that the attacker is not politically motivated but is only interested in financial gain — presumably, to reassure victims they would get their data back if they paid the demanded ransom.

The ScareCrow is another typical ransomware that encrypts files on victim’s machines, its ransom note, also entitled ‘readme.txt,’ contains three Telegram channels that victims can use to speak with the attacker. Though the ransom note does not contain any specific financial demands, it’s safe to assume that victims will need to pay a ransom to recover files that were encrypted.

Researchers found some overlap between ScareCrow and the Conti ransomware variant, one of the most prolific ransomware tools ever. Both, for instance, use the same algorithm to encrypt files, and just like Conti, ScareCrow deletes shadow copies using the WMI command line utility (wmic) to make data irrecoverable on infected systems. ScareCrow has infected systems in the United States, Germany, Italy, India, the Philippines, and Russia.

Advertisements

The AESRT, the third new ransomware family that was spotted in the wild, has functionality that’s like the other two threats. The main difference is that instead of leaving a ransom note, the malware delivers a popup window with the attacker’s email address and a field that displays a key for decrypting encrypted files once the victim has paid up the demanded ransom.

Indicators Of Compromise

Vohuk ransomware

  • f570a57621db552526f7e6c092375efc8df2656c5203209b2ac8e06a198b8964
  • 339a6e6e891d5bb8f19a01f948c352216e44656e46f3ee462319371fd98b3369
  • 5af5401f756753bebec40c1402266d31cb16c3831cb3e9e4fe7f8562adadeee7

ScareCrow ransomware

  • 7f6421cdf6355edfdcbddadd26bcdfbf984def301df3c6c03d71af8e30bb781f
  • a4337294dc51518284641982a28df585ede9b5f0e3f86be3c2c6bb5ad766a50f
  • bcf49782d7dc8c7010156b31d3d56193d751d0dbfa2abbe7671bcf31f2cb190a

AESRT ransomware

  • 05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f
  • b6743906c49c1c7a36439a46de9aca88b6cd40f52af128b215f808a406a69598

Leave a Reply

%d bloggers like this: