Team Kerala Cyber Warriors, a hacking group based out of India, have begun to install ransomware on web sites based out of Pakistan. This ransomware, called KCW Ransomware, encrypts the files on a web site and then demands a ransom payment in order to get the files back.

You can see a demonstration below of a web site infected by the KCW Ransomware.

I first learned about the KCW Ransomware from a security researcher named nullcookies.

When the KCW Ransomware is installed on a site, the site's files will be encrypted and have the the .kcwenc extension appended to them. You can see an example of encrypted files below.

Encrypted Web Site
Encrypted Web Site

The attack will also leave behind a file name kcwdecrypt.php, which when opened displays a ransom note that claims to have been left by an Anonymous group named the Team Kerala Cyber Warriors. This note explains what happened to the site and provides a way to contact the group at their Facebook page.

KCW Ransomware Ransom Page
KCW Ransomware Ransom Page

The web pages created by this group are well done and happen to play a background song that I must have played over and over. You can hear this music in the video above.

It is not currently known if there is a particular platform being targeted or how the attackers are gaining access to the sites. Furthermore, it is not known if the group is actually decrypting files if a victim pays the ransom.

Attacks motivated by injustice or politics

The attacks being performed by Team Kerala Cyber Warriors, the Indian hacking group behind the KCW Ransomware, appear to be politically motivated. Based on the posts to their Facebook page, these attacks are being performed due to government injustice and corruption and against sites located in Pakistan.

For example, a previous hack protested against the horrific torture and rape of an 8 year old girl named Asifa Bano.

Defacement Demanding Justice for Asifa
Defacement Demanding Justice for Asifa

While their Wikipedia page states that Team Kerala Cyber Warriors were disbanded in January 2018, it appears that they, or someone representing them, is still active

Related Articles:

The Week in Ransomware - December 14th 2018 - Slow Week

Company Pretends to Decrypt Ransomware But Just Pays Ransom

The Week in Ransomware - December 7th 2018 - WeChat Ransomware, Scammers, & More

Ransomware Infects 100K PCs in China, Demands WeChat Payment

Chinese Police Arrest Dev Behind UNNAMED1989 WeChat Ransomware