Home Malware Programs Ransomware KCW Ransomware

KCW Ransomware

Posted: April 30, 2018

The KCW Ransomware is a file-locking Trojan that blocks websites after compromising their servers. This threat's campaign has associations with political activism against Pakistan-based domains, but its encryption attack can damage the files of all affected sites. Recover from a backup, when possible, and uninstall the KCW Ransomware from an infected PC with a trustworthy brand of anti-malware software.

Online Politics Get Ugly Again

The KCW Ransomware, first identifiable as long ago as 2016, is starting up more attacks against Pakistan-based sites, such as arainwelfare.org and planvent.com. Like the highly similar KimcilWare Ransomware, the KCW Ransomware is a server-side program that uses PHP scripts for encrypting all files associated with running the website. Although the KCW Ransomware takes its name from the Kerala Cyber Warriors, a supposedly defunct organization, either an ex-member or hijacker of the brand is continuing the deployment of the KCW Ransomware for collecting ransoms.

The KCW Ransomware adds the '.kcwenc' extension to the HTML, JS, and other files that it encrypts and locks, and also hijacks the affected site's index page. The new index redirects towards a custom website for extorting money for a decryption key and includes significant design elements, such as background music and an Anonymous-themed logo. However, as of malware experts' last visits, the ransom pages include bugs that prevent the paying of any money for the decryption solution that would, in theory, restore the victim's site.

Website owners should avoid paying until attempting other solutions, such as recovering from their last backup or testing the compatibility of free decryption software. Paying the ransom may not result in a real decryption service, and threat actors often request a cryptocurrency, voucher, or another payment method that prevents any victims from getting refunds.

Keeping Political Protests from Turning into Harmful Actions

Unlike those of the VevoLocker Ransomware's similarly website-sabotaging campaign, the KCW Ransomware's 2018 infection methods are not yet verifiable by malware researchers. RDP-based manual installations, e-mail attachments, exploit kit-based drive-by-downloads, and remote code-executing vulnerabilities are all techniques in use as of the present day. Some sources also are linking the KCW Ransomware's latest wave of attacks to compromised Chrome extensions.

Server admins should update their management software, use secure passwords with complex strings of alphanumeric characters, and avoid enabling any Remote Desktop features unnecessarily. Because the KCW Ransomware has yet to have a definitive decryption solution available to the public, any websites without backups may have their data damaged by the encryption attack permanently. As in similar cases, any traditional anti-malware product should delete the KCW Ransomware before its payload launches.

The apparent disbanding of the 'KCW' group of threat actors isn't doing anything to halt or slow down ongoing attacks from the KCW Ransomware. Whether it's a byproduct of the misdeeds of a true successor of those political activists or a recognition-collecting hijacker, this file-locker Trojan gives all Web admins more incentive for backing up and securing their websites' data.

Loading...