Wagner cipher: extortion, recruitment or an empty phrase?
Instead of demanding a ransom, the malware offers to join the Wagner PMC.
Ransomware called Wagner infects users’ devices and invites them to join the private military company (PMC) Wagner, the same one that recently attempted an armed insurgency in Russia.
Researchers Cyble believe that the newly discovered program is aimed specifically at the Russians. Instead of asking for money to decrypt files, ransomware demands that their victims join the ranks of PMCs.
“Official virus for employment in PMC Wagner,” such an inscription directly in Russian flaunts in a ransom note posted on victims’ devices. The same note also contains some illegal calls to action.
The Cyble researchers said in their report that “the Wagner group has not officially declared its involvement in this ransomware.” Therefore, the individuals responsible for this particular strain could be anyone.
When launched, the program initializes various variables that determine its execution, and also scans the list of running processes for the presence of processes of the same name in order to prevent multiple instances of the ransomware from running at the same time.
Then the process raises its system privileges and is added to Windows startup. After that, the encryption process itself begins, which affects only user folders on the system drive: desktop, downloads, image, music, video, documents, OneDrive, Roaming in AppData, etc.
In total, Wagner detects and encrypts about 230 user file extensions. After encryption, all files receive the “.Wagner” extension.
Data on other drives installed on the computer is not encrypted by the malware. Although it distributes to them, including removable media, the file “surprise.exe”, which is a copy of the main program.
Given the fact that the real Wagner PMC has not confirmed its involvement in the malware, and there are no payment details for paying the ransom, the victim will not be able to restore his files in any way, even if he really wants to. Based on this, the extortionist can quite rightly be classified as viper.
Experts recommend regularly backing up important data and storing it on other devices or in secure clouds. So, even if the malware encrypts your data, such an attack will not be able to affect you in any way.