HQ/EMEAFind out how we can help your business
Cybersecurity researchers have published information regarding three new ransomware families, Aerst, ScareCrow, and Vohuk, that could encrypt targeted files and extort their victims.
According to the investigation, these three new ransomware families target Windows devices that use standard ransomware mechanics like encrypting victim files and demanding a ransom payment to release a decryption key.
Currently, these new ransomware entities have been used by numerous actors in an increasing number of ransomware campaigns.
The three ransomware families were all seen appending extensions to encrypt files.
The first ransomware family on the list, named Aerst, was spotted by researchers appending to encrypted files the [.]Aerst extension. It also shows a popup window that includes the attacker’s email address instead of the standard ransom note.
Moreover, the popup window allows the victim to input a purchase key required to recover the encrypted data. However, Aerst removes Volume Shadow copies to prevent file retrieval.
On the other hand, the Vohuk ransomware family uses a standard method of dropping a ransom note through a read[.]txt that prompts its victim to contact them via email. This ransomware appends the [.]vohuk extension to the encrypted documents, substitutes file icons with a red lock icon, and alters the desktop wallpaper with its choice of photo.
Currently, the Vohuk ransomware family exclusively targets German and Indian users.
The latest ransomware family, known as Scarecrows, also deploys a ransom note named readme[.]txt, which commands its victims to contact its operators through one of three given Telegram channels. This ransomware family is distributed more to the United States, the Philippines, Russia, India, and Italy.
The researchers noticed some overlaps between Conti and ScareCrow, like using the WMI command-line utility to remove Volume shadow copies and the CHACHA algorithm for encryption. This information implies that the ScareCrow authors might have adopted the Conti source code leak this year.
Finally, the ScareCrow developers have encrypted each command string in the malware, such as DLL and API names, using a different decryption method. The ScareCrow ransomware family appends the [.]crow extension to the encrypted documents.
