Team Kerala Cyber Warriors, a hacking group based out of India, have begun to install ransomware on web sites based out of Pakistan. This ransomware, called KCW Ransomware, encrypts the files on a web site and then demands a ransom payment in order to get the files back.
You can see a demonstration below of a web site infected by the KCW Ransomware.
I first learned about the KCW Ransomware from a security researcher named nullcookies.
When the KCW Ransomware is installed on a site, the site’s files will be encrypted and have the the .kcwenc extension appended to them. You can see an example of encrypted files below.
The attack will also leave behind a file name kcwdecrypt.php, which when opened displays a ransom note that claims to have been left by an Anonymous group named the Team Kerala Cyber Warriors. This note explains what happened to the site and provides a way to contact the group at their Facebook page.
The web pages created by this group are well done and happen to play a background song that I must have played over and over. You can hear this music in the video above.
It is not currently known if there is a particular platform being targeted or how the attackers are gaining access to the sites. Furthermore, it is not known if the group is actually decrypting files if a victim pays the ransom.
Attacks motivated by injustice or politics
The attacks being performed by Team Kerala Cyber Warriors, the Indian hacking group behind the KCW Ransomware, appear to be politically motivated. Based on the posts to their Facebook page, these attacks are being performed due to government injustice and corruption and against sites located in Pakistan.
For example, a previous hack protested against the horrific torture and rape of an 8 year old girl named Asifa Bano.
While their Wikipedia page states that Team Kerala Cyber Warriors were disbanded in January 2018, it appears that they, or someone representing them, is still active
To read the original aricle: