Fortinet’s researchers recently came across three new ransomware families - Vohuk, ScareCrow, and AESRT (aka AERST). These typical ransomware families have been increasingly targeting Windows systems.
A look at Vohuk ransomware
Vohuk has been primarily targeting Germany and India.
It encrypts several file types and makes them completely unusable. It adds the .Vohuk extension to the encrypted files and replaces file icons with a red lock icon.
It replaces the desktop wallpaper with its own and leaves a distinctive mutex, which prevents different instances of Vohuk from running on the same system.
A ransom note is displayed on the victim’s system to contact the attacker via email with a unique ID assigned to each victim.
In one ransom note, there was a mention of Vohuk ransomware v1.3, which indicates that the attacker has updated it several times already.
Spilling the beans for ScareCrow ransomware
The ScareCrow ransomware encrypts files on victims’ machines and adds the .CROW file extension to affected files.
ScareCrow attacks are relatively widespread in Germany, India, Italy, the Philippines, Russia, and the U.S. The ransom note instructs victims to contact the attacker using one of the three Telegram channels provided.
ScareCrow carries some similarities with Conti, such as the use of the CHACHA algorithm to encrypt files and using the WMIC utility to delete volume shadow copies.
The similarities suggest that ScareCrow’s developers might have used Conti source code leaked earlier this year. However, there are significant differences in ransomware codes, indicating that its developers have put additional effort into it.
Lastly, meet AERST ransomware
Researchers found one more new ransomware, dubbed AERST, that encrypts files on compromised machines and appends a .AERST file extension to the affected files.
Instead of dropping a typical ransom note, it displays a popup window that includes the attacker’s email address.
The display contains a field to enter the purchased key required to decrypt the encrypted files. Additionally, it deletes shadow copies to prevent file recovery.
What to expect
It's too early to comment on whether Vohuk, ScareCrow, and AERST ransomware strains could evolve into a large-scale threat or remain as typical ransomware families with short lifespans. However, in such attacks, victims are surely at risk of losing valuable data, resulting in financial loss. Therefore, organizations need to stay ahead of the techniques used by threat actors and implement security best practices and controls.