KCW Ransomware Encrypting Web Sites in Pakistan

Haythem Elmir

Team Kerala Cyber Warriors, a hacking group based out of India, have begun to install ransomware on web sites based out of Pakistan. This ransomware, called KCW Ransomware, encrypts the files on a web site and then demands a ransom payment in order to get the files back.

You can see a demonstration below of a web site infected by the KCW Ransomware.

I first learned about the KCW Ransomware from a security researcher named nullcookies.

When the KCW Ransomware is installed on a site, the site’s files will be encrypted and have the the .kcwenc extension appended to them. You can see an example of encrypted files below.

Encrypted Web Site
Encrypted Web Site

The attack will also leave behind a file name kcwdecrypt.php, which when opened displays a ransom note that claims to have been left by an Anonymous group named the Team Kerala Cyber Warriors. This note explains what happened to the site and provides a way to contact the group at their Facebook page.

KCW Ransomware Ransom Page
KCW Ransomware Ransom Page

The web pages created by this group are well done and happen to play a background song that I must have played over and over. You can hear this music in the video above.

It is not currently known if there is a particular platform being targeted or how the attackers are gaining access to the sites. Furthermore, it is not known if the group is actually decrypting files if a victim pays the ransom.

Attacks motivated by injustice or politics

The attacks being performed by Team Kerala Cyber Warriors, the Indian hacking group behind the KCW Ransomware, appear to be politically motivated. Based on the posts to their Facebook page, these attacks are being performed due to government injustice and corruption and against sites located in Pakistan.

For example, a previous hack protested against the horrific torture and rape of an 8 year old girl named Asifa Bano.

Defacement Demanding Justice for Asifa
Defacement Demanding Justice for Asifa

While their Wikipedia page states that Team Kerala Cyber Warriors were disbanded in January 2018, it appears that they, or someone representing them, is still active

To read the original aricle:



Laisser un commentaire

Next Post

Hackers Scan the Web for Vulnerable WebLogic Servers After Oracle Botches Patch

For more than a week hackers have started scanning the Internet, searching for machines running Oracle WebLogic servers. Scans started after April 17, when Oracle published its quarterly Critical Patch Update (CPU) security advisory. The April 2018 CPU contained a patch for CVE-2018-2628, a vulnerability in the WLS core component of WebLogic, […]