New Ransomware Families Lead Attacks Against Windows Systems

A look at Vohuk ransomware

• It encrypts several file types and makes them completely unusable. It adds the .Vohuk extension to the encrypted files and replaces file icons with a red lock icon.
• It replaces the desktop wallpaper with its own and leaves a distinctive mutex, which prevents different instances of Vohuk from running on the same system.
• A ransom note is displayed on the victim’s system to contact the attacker via email with a unique ID assigned to each victim.
• In one ransom note, there was a mention of Vohuk ransomware v1.3, which indicates that the attacker has updated it several times already.

Spilling the beans for ScareCrow ransomware

• ScareCrow attacks are relatively widespread in Germany, India, Italy, the Philippines, Russia, and the U.S. The ransom note instructs victims to contact the attacker using one of the three Telegram channels provided.
• ScareCrow carries some similarities with Conti, such as the use of the CHACHA algorithm to encrypt files and using the WMIC utility to delete volume shadow copies.
• The similarities suggest that ScareCrow’s developers might have used Conti source code leaked earlier this year. However, there are significant differences in ransomware codes, indicating that its developers have put additional effort into it.

Lastly, meet AERST ransomware

• Instead of dropping a typical ransom note, it displays a popup window that includes the attacker’s email address.
• The display contains a field to enter the purchased key required to decrypt the encrypted files. Additionally, it deletes shadow copies to prevent file recovery.

What to expect