Well-known ransomware threat researcher Brett Callow has poured cold water on claims that ransomware, which sought to capitalise on the recent Wagner group incidents, has been targeting Windows users in Russia.
The claim was made by security firm Cyble, which told the Australian arm of PCMag that the malware dropped a note on victims machines to hint they should consider joining the Russian mercenary outfit.
PCMag reported that the note read: “Job opening. Service in the PMCS Wagner. For cooperation, adding ‘Brothers, stop tolerating authority! Let’s go to war against Shoigu!’. Sergei Kuzhugetovich Shoigu is the Russian defence minister.
Cyble was reported as claiming, “The individual behind the ransomware strain could be politically motivated and supports Wagner Group.”
But Callow, who works for the New Zealand-headquartered Emsisoft, said in a tweet there was no evidence that this so-called Wagner ransomware had actually been deployed in Russia or, for that matter, anywhere else.
“All we have is a sample that somebody — perhaps the same person who created it — uploaded to VT [VirusTotal, the malware database owned by Google], possibly just for lulz [laughs].”
AFAIK, there is no evidence that #Wagner #ransomware has actually been deployed in Russia or, for that matter, anywhere else. All we have is a sample that somebody – perhaps the same person who created it – uploaded to VT, possibly just for lulz.https://t.co/ngPK5E42Rj
— Brett Callow (@BrettCallow) June 27, 2023
Callow told iTWire: “Creating the ransomware would’ve been a quick and easy job, but we don’t know who did it or why or whether it’s ever actually been deployed.
“My guess is that was created for the soled purpose of being uploaded to VirusTotal so it would be discovered by researches and written about. You can draw your own conclusions as to what the motivation may have been.”
Another security researcher who differed with Cyble, but not to the extent that Callow did, was Allan Liska, who works with the CIA-backed firm Recorded Future, PCMag quoted him as tweeting: “Installing a ransomware/wiper on someone’s machine is a poor way to recruit them.
“On the other hand, if you are a hacktivist group, say one that has used ransomware based on the Chaos builder in the past, that wants to get people mad at a certain group, this is a good way to do it.”
This is the second case of one security firm contradicting claims made by another in as many days. On Tuesday, iTWire reported that industrial cyber-security firm Dragos countered claims made by the Google-owned Mandiant about malware known as COSMICENERGY.
Once again, there was a Russia angle, with Mandiant issuing a post about COSMICENERGY on 25 May, claiming it had been uploaded to a public malware scanning utility in December 2021 by a submitter in Russia.
“The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia,” a post, authored jointly by researchers Ken Proska, Daniel Kapellmann Zafra, Keith Lunden, Corey Hildebrandt, Rushikesh Nandedkar and Nathan Brubaker, said.
But Dragos said it had “independently analysed the malware and, counter to media headlines claiming power disruption or grid crippling abilities, concluded that COSMICENERGY is not an immediate threat to operational technology”