Wagner Ransomware Gang Attacks to Recruit 

This post is also available in: עברית (Hebrew)

Wagner, a Russian private military corporation (PMC) that recently attempted a march on Moscow has been attacking and infecting user devices only to then invite them to join the group.

According to research performed by Cyble, this recently detected activity likely targets Russians, and instead of asking for money, the group demands victims join the ranks of the PMC led by Yevgeny Prigozhin.

The note deployed on victim devices reads: “Official Wagner PMCs employment virus.” It also calls to “wage war” against Russia’s longtime Minister of Defence Sergei Shoigu. These demands echo recent events in Russia, with Prigozhin openly disparaging Shoigu over Moscow’s incompetence in waging war against Ukraine. Although the ransom note mimics the bio section of the Wagner Group Telegram channel, the group did not come out publicly claiming this ransomware campaign.

According to Cybernews, Wagner ransomware targets victims’ data stored on the C: drive, encrypting everything from links and contacts to OneDrive and documents. After encryption, all files are renamed with the “.Wagner” extension.

The ransomware group is funded by the Russian government and was established around 2014. While Prigozhin deals with the business and policy side of the business, Dmitry Utkin, a former Russian military intelligence officer, takes care of the military side. Wagner has been instrumental in Russia’s military efforts in Central Africa and Ukraine since 2014, rising to prominence after the Kremlin launched a full-scale war against the country in February 2022.