Team Kerala Cyber Warriors, a hacking group based out of India, have begun to install ransomware on web sites based out of Pakistan. This ransomware, called KCW Ransomware, encrypts the files on a web site and then demands a ransom payment in order to get the files back.

You can see a demonstration below of a web site infected by the KCW Ransomware.

I first learned about the KCW Ransomware from a security researcher named nullcookies.

When the KCW Ransomware is installed on a site, the site's files will be encrypted and have the the .kcwenc extension appended to them. You can see an example of encrypted files below.

Encrypted Web Site
Encrypted Web Site

The attack will also leave behind a file name kcwdecrypt.php, which when opened displays a ransom note that claims to have been left by an Anonymous group named the Team Kerala Cyber Warriors. This note explains what happened to the site and provides a way to contact the group at their Facebook page.

KCW Ransomware Ransom Page
KCW Ransomware Ransom Page

The web pages created by this group are well done and happen to play a background song that I must have played over and over. You can hear this music in the video above.

It is not currently known if there is a particular platform being targeted or how the attackers are gaining access to the sites. Furthermore, it is not known if the group is actually decrypting files if a victim pays the ransom.

Attacks motivated by injustice or politics

The attacks being performed by Team Kerala Cyber Warriors, the Indian hacking group behind the KCW Ransomware, appear to be politically motivated. Based on the posts to their Facebook page, these attacks are being performed due to government injustice and corruption and against sites located in Pakistan.

For example, a previous hack protested against the horrific torture and rape of an 8 year old girl named Asifa Bano.

Defacement Demanding Justice for Asifa
Defacement Demanding Justice for Asifa

While their Wikipedia page states that Team Kerala Cyber Warriors were disbanded in January 2018, it appears that they, or someone representing them, is still active

Related Articles:

Princess Evolution Ransomware is a RaaS With a Slick Payment Site

Hackers Steal $13.5 Million Across Three Days From Indian Bank

Former Microsoft Engineer Gets 18 Months in Prison for Role in Ransomware Scheme

New Cmb Dharma Ransomware Variant Released

The Week in Ransomware - August 10th 2018 - BitPaymer & KeyPass