Security researchers at Fortinet have discovered three new ransomware families that are actively targeting victims around the world. Members are encouraged to keep abreast of the various ransomware families for awareness on unique characteristics and indicators of compromise for each.

AESRT. The AESRT ransomware family encrypts files on compromised devices and appends an “.AESRT” file extension to the files it encrypts. Rather than dropping a ransom note, the ransomware displays a popup window that includes the attacker’s email address. It also deletes shadow copies, which prevents the victim from recovering files.

Vohuk. Vohuk ransomware leaves victims a note and asks them to contact the attackers via email. Apparently under constant development, the malware assigns a unique ID to each victim. This ransomware strain appends the ‘.vohuk’ extension to the encrypted files, replaces file icons with a red lock icon, and changes the desktop wallpaper with its own. According to Fortinet, “the ransomware leaves a distinctive mutex (‘Global\\VohukMutex’), which prevents different instances of Vohuk ransomware from running on the same system.”

ScareCrow. ScareCrow ransomware tells victims to contact the attacker using one of three Telegram channels. Of the three strains discussed, this one appears to be the most widespread. Security researchers have noticed a few similarities between ScareCrow and Conti, such as the use of the CHACHA algorithm for encryption, and the use of the WMI command-line utility to delete Volume Shadow copies, which suggest that ScareCrow’s developers might have used Conti source code leaked earlier this year.

Read the original report at Fortinet or access a relevant article here. 

Ransomware Prevention. As always, members are encouraged to visit CISA’s Stop Ransomware page for guidance and resources for defending and recovering from a ransomware incident.