PMC Wagner Ransomware

Unveiling Wagner Group’s Cyber-Recruitment

Ransomware Campaign Urges Resistance Against Russian Officials

Cyble Research and Intelligence Labs (CRIL) investigated a new ransomware named Wagner. This ransomware is a variant of Chaos ransomware. During our analysis, we found that the ransom note dropped by this ransomware, instead of demanding money, urges users to join the PMC Wagner.

The ransom note starts with, “Official Wagner PMCs Employment Virus“.

The figure below shows the translated version of the ransom note.

Figure 1 – Wagner Ransom Note (Translated from Russian)

The ransom note includes a call to wage war against Shoigu. Sergei Kuzhugetovich Shoigu is a prominent Russian politician and military officer, serving as the Minister of Defence of Russia since 2012. The content of the ransom note aligns with the information found in the bio section of the WAGNER GROUP Telegram channel, as shown below.

Figure 2 – Wagner Group Telegram Channel

The Wagner Group, officially known as PMC Wagner, is a Russian paramilitary organization. It is a private military company comprised of mercenaries and has been described as a de facto private army of Russian President Vladimir Putin’s former close ally Yevgeny Prigozhin.

Recently the Wagner PMC staged a short-lived mutiny in Russia, exposing a deepening feud with the country’s top defense leadership and revealing a potential challenge to Russian President Vladimir Putin’s authority. Prigozhin’s forces took control of a crucial military headquarters and initiated a “march of justice” toward Moscow.

The Wagner group has not officially stated its involvement in this ransomware. Therefore, the individuals responsible for this particular strain remain unknown. However, we discovered that the ransomware sample was initially submitted on VirusTotal from Russia. Since the ransom note is also written in Russian, it suggests that the ransomware may primarily target victims within Russia.

The accompanying figure displays the submission records for the Wagner ransomware.

Figure 3 – Submission Details

Technical Analysis

The Wagner ransomware  (SHA256: 1238ab3dd3ed620536969ee438e99a33a418ba20f5e691962ed07904e075b2a4) is a 32-bit binary targeting the Windows operating system.

The figure below shows the file details.

Figure 4 – File Details

The ransomware, upon execution, initializes different variables that specify its execution. After that, it performs an initial check to ensure that only one instance of the ransomware is running. It accomplishes this by retrieving a list of all running processes using the GetProcesses() method and then searches for a process with the same name as the current process. If it discovers such a process, it terminates itself to prevent multiple instances from running simultaneously.

The figure below shows a check to ensure that a single instance of ransomware is running.

Figure 5 – Running a Single Instance

The ransomware binary then examines the value of the “checkSleep” flag variable. If this variable is set to true, the ransomware proceeds to verify whether it is being executed from the %APPDATA% folder. If the binary is executed from a different location, it enters a sleep state for a duration specified by the Threat Actor (TA).

The figure below shows the sleep check present in the ransomware binary.

Figure 6 – Sleep Check

Persistence and Privilege Escalation

Now, the ransomware binary attempts to achieve Persistence and Privilege Escalation based on the flag variables specified by TA. If the flag variable “checkAdminPrivilage” is set to true, the ransomware binary will attempt to achieve Persistence and Privilege Escalation. To ensure persistence, it will make a copy of itself as “svchost.exe” in the startup folder. Subsequently, it will terminate the current instance and recursively try to execute the copied file again, this time using the runas command to gain elevated privileges.

If the value of “checkAdminPrivilage” is set to false, the ransomware checks the status of the “checkCopyRoaming” variable. If true, the ransomware only adds its binary to the startup folder for persistence.

Figure 7 – Persistence and Privilege Escalation

The ransomware binary includes an additional mechanism for Persistence that relies on the value of the “checkStartupFolder” variable. When set to true, the ransomware creates a shortcut file in the startup folder. This shortcut file is configured to point to the location of the current ransomware executable. As a result, when the system starts up, the ransomware is automatically executed.

The figure below shows the additional Persistence mechanism present in the Wagner ransomware.

Figure 8 – Adding Shortcut File to Startup Folder

Encryption

After this, the ransomware retrieves all drive types using the DriveInfo.GetDrives() method. It encrypts all the directories in the drives and excludes certain directories in the “C” drive.

The following directories are targeted by ransomware in the “C” drive.

  • Links
  • Contacts
  • Downloads
  • OneDrive
  • Saved Games
  • Favorites
  • Searches
  • Videos
  • C:\Users\Username\AppData\Roaming
  • C:\Users\Public\Documents
  • C:\Users\Public\Pictures
  • C:\Users\Public\Music
  • C:\Users\Public\Videos
  • C:\Users\Public\Desktop

The figure below shows the code for drive enumeration.

Figure 9 – Drive Enumeration

The following file extensions are targeted by the ransomware for encryption:

.txt.dib.xlsb.pot.mde
.jar.dic.7z.xlw.mdf
.dat.dif.cpp.xps.mdw
.contact.divx.java.xsd.mht
.settings.iso.jpe.xsf.mpv
.doc.7zip.ini.xsl.msg
.docx.ace.blob.kmz.myi
.xls.arj.wps.accdr.nef
.xlsx.bz2.docm.stm.odc
.ppt.cab.wav.accdt.geo
.pptx.gzip.3gp.ppam.swift
.odt.lzh.webm.pps.odm
.jpg.tar.m4v.ppsm.odp
.mka.jpeg.amv.1cd.oft
.mhtml.xz.m4p.3ds.orf
.oqy.mpeg.svg.3fr.pfx
.png.torrent.ods.3g2.p12
.csv.mpg.bk.accda.pl
.py.core.vdi.accdc.pls
.sql.pdb.vmdk.accdw.safe
.mdb.ico.onepkg.adp.tab
.php.pas.accde.ai.vbs
.asp.db.jsp.ai3.xlk
.aspx.wmv.json.ai4.xlm
.html.swf.gif.ai5.xlt
.htm.cer.log.ai6.xltm
.xml.bak.gz.ai7.svgz
.psd.backup.config.ai8.slk
.pdf.accdb.vb.arw.tar.gz
.xla.bay.m1v.ascx.dmg
.cub.p7c.sln.asm.ps
.dae.exif.pst.asmx.psb
.indd.vss.obj.avs.tif
.cs.raw.xlam.bin.rss
.mp3.m4a.djvu.cfm.key
.mp4.wma.inc.dbx.vob
.dwg.flv.cvs.dcm.epsp
.zip.sie.dbf.dcr.dc3
.rar.sum.tbi.pict.iff
.mov.ibank.wpd.rgbe.onepkg
.rtf.wallet.dot.dwt.onetoc2
.bmp.css.dotx.f4v.dll
.mkv.js.xltx.exr.lnk
.avi.rb.pptm.kwm.scr
.apk.crt.potx.max.exe
.lnk.xlsm.potm.mda 

Wagner ransomware encrypts files whose size is less than 2MB. For files larger than 2MB but less than ~200MB, a portion of random bytes is generated, with a length equal to one-fourth of the file size. These random bytes are then encoded in Base-64 format and written into the file.

In the case of files larger than approximately 200MB, the ransomware generates a different set of random bytes. The size of these bytes is between ~200MB and ~300MB. Like the previous scenario, these bytes are stored in the file in Base-64 format.

The ransomware renders such files completely useless due to the addition of random bytes.

The figure below shows the code to check the file size and add random bytes.

Figure 10 – File Size Validation

The ransomware employs the AES algorithm to encrypt files. For each file, it generates a random key to perform encryption. After encrypting the file, the ransomware binary encrypts the AES encryption key using the RSA algorithm. This encrypted key is stored within the file between “<EncryptedKey>” tags and the Base64 encoded RSA key.

The figure below shows the file encryption code.

Figure 11 – Encryption

Replication

Wagner ransomware can spread through removable media. It fetches details of all the logical drives on a system using DriveInfo.GetDrives() method. Excluding the “C” drive, it copies itself to all other drives named “surprise.exe”.

The figure below shows the code for spreading the ransomware to other drives.

Figure 12 – Spreading to other drives

Impact

After encryption, this ransomware renames all the files by appending the “.Wagner” extension. The figure below shows the encrypted files.

Figure 13 – Encrypted Files

It drops the ransom note named “Wagner.txt” in every directory it traverses. This ransom note is written in Russian, suggesting it targets Russian-speaking users.

The figure below shows the ransom note.

Figure 14 – Ransom Note

Now, if the values of checkdeleteShadowCopies, checkdisableRecoveryMode, and checkdeleteBackupCatalog flag variables are set to True, the ransomware binary executes the following commands:

  • vssadmin delete shadows /all /quiet & wmic shadowcopy delete

This command invokes the “vssadmin” tool to delete all shadow copies. The “/all” flag is used to delete all shadow copies, and the “/quiet” flag ensures the command runs silently without prompting for confirmation.

  • bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

Modifies the boot status policy of the default operating system to “ignoreallfailures”. It ensures that the system ignores any failures encountered during the boot process.

Disables the recovery feature for the default operating system. It sets the “recoveryenabled” parameter to “no”, preventing the system from initiating the recovery process in case of system failures.

  • wbadmin delete catalog -quiet

This command executes the “wbadmin” tool to delete the backup catalog. The “/quiet” flag ensures that the command runs silently without displaying any prompts.

Within the ransomware binary, there is an encoded image in Base64 format. The ransomware decodes this image and places it in the %TEMP% folder, assigning it a random string name consisting of 9 characters, which can be a combination of lowercase letters [a-z] and digits [0-9]. Subsequently, the ransomware sets this decoded image as the desktop background, as depicted in the accompanying figure.

Figure 15 – Changing Desktop Background

Conclusion

The Wagner Group has not officially claimed responsibility for this ransomware strain. There are notable similarities between the content of the ransom note and the group’s messaging on their Telegram channel.

It suggests that the individual behind the ransomware strain could be politically motivated and supports Wagner Group. The ransomware’s intent seems to spread messages of rebellion and incitement against Russian Defense Minister Sergei Shoigu.

Our Recommendations  

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:    

  • Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., mainly contain such malware.  
  • Before downloading any file, verify the credibility and authenticity of the source.
  • Back up data on different locations and implement Business Continuity Planning (BCP). Keeping the Backup Servers isolated from the infrastructure helps fast data recovery.
  • Frequent Audits, Vulnerability Assessments, and Penetration Testing of organizational assets, including network and software.
  • Enforcement of VPN to safeguard endpoints.
  • Conduct frequent training on security awareness for the company’s employees to inform them about emerging threats.
  • Implementation of technology to understand the behavior of the ransomware-malware families and variants to block malicious payloads and counter potential attacks.
  • The users should carefully check their wallet addresses before making any cryptocurrency transaction to ensure there is no change when copying and pasting the actual wallet addresses.
  • The seeds for wallets should be stored safely and encrypted on any device.

MITRE ATT&CK® Techniques  

  

Tactic  Technique ID  Technique Name  
Execution   T1204   User Execution   
PersistenceT1547    Registry Run Keys / Startup Folder  
 
Discovery   T1082 
T1083
T1057  
System Information Discovery 
File and Directory Discovery   
Process Discovery 
Impact T1486  
T1490
Data Encrypted for Impact  
Inhibit System Recovery

  

Indicators of Compromise (IOCs)  

  

Indicators  Indicator type  Description  
d26b2c8fc07cb5c72bfc40779f09d491
8ee7fc0171b980aa93b687e334d1e29a8d634085
1238ab3dd3ed620536969ee438e99a33a418ba20f5e691962ed07904e075b2a4
MD5
SHA1
SHA256   
Wagner Ransomware binary  

Comments are closed.

Scroll to Top