A ransomware gang called the Wagner Group has been spotted deploying malware and encouraging hackers to join its cause. Though the cybercriminals purport to represent the Russian paramilitary group that attempted to overthrow Vladimir Putin last weekend, security experts believe the malware it uses – which encrypts but does not steal data – is more consistent with that used by existing hacktivist gangs.

The Wagner Group
The Wagner Group soldiers pictured during Saturday’s rebellion. Is the group getting into the ransomware business? (Photo by Stringer/Anadolu Agency via Getty Images)

The gang’s activities have been detected on malware analytics platform VirusTotal, and posted online by security researchers and ransomware experts.

It follows Saturday’s attempted rebellion in Russia by The Wagner Group, a private army which has been working for Vladimir Putin’s government as part of the war in Ukraine. Wagner Group soldiers were marching on Moscow before being called off at the last minute by the group’s leader, Yevgeny Prigozhin.

The Wagner ransomware gang targets Russian defence minister Sergei Shoigu

The malware used by The Wagner Group ransomware gang has been identified as Chaos, an aggressive wiper often used by Russian hacktivist group Killnet. However, this particular strain appears to encrypt files and change the desktop before adding a ransom note, behaviour that is more consistent with ransomware. The malware does not exfiltrate any data, however.

According to a report by security company PC Risk, the malware will encrypt files within a system adding WAGNER to the end of the file name. Once this process is complete the malware changes the desktop wallpaper and creates a note titled “WAGNER.txt”.

The note explains that the attack “is intended for agitation, inducement, recruitment and other involvement of persons in the commission of illegal acts. Stop tolerating power! Let’s go to war against [Russian defence minister Sergei] Shoigu! If you want to go against the officials, hello from the good guy!”

This is followed by two Moscow phone numbers and claims to bear information from the “Official virus PMC Wagner employment vacancies service.”

Are hackers really working for the Wagner Group?

The use of Chaos as a malware strain, coupled with the ample use of the Wagner Group name in relation to an attack is more consistent with a hacktivism attempt than an underground recruitment campaign on the part of the paramilitary organisation, explains Allan Liska, computer incident response team lead at security company Recorded Future.

“It sounds like the Wagner Group is encouraging people to deploy ransomware,” he says. “But then it could just be somebody trying to draw negative attention to the private military company.”

Where the malware is deployed will betray more information about the motivation behind the attacks, Liska says. So far, no victims of the Wagner Group ransomware have come forward. “If this is something that’s being deployed in Russia against Russian citizens then that could, in effect, be a recruitment tool for the Wagner group, although not a great one,” Liska explains.

However, if the cyberweapon is deployed outside of Russia then it is more likely that someone is trying to get the Wagner Group in even more trouble. “Theoretically, this could turn the Russian people against the Wagner group because if you infect enough of them, the Russian public will get annoyed,” Liska says. As such, the gang may be hacktivists working on behalf of the Russian government.

Is Killnet behind the Wagner Group ransomware gang?

Ransomware researcher Jon DiMaggio is also sceptical that the gang has links to the Wagner Group. “The fact that Chaos is being used doesn’t seem to fit a plan that would benefit the Wagner Group whatsoever,” DiMaggio says. The group’s behaviour is more like “somebody who is an expert in doing this, like Killnet.”

Killnet has often publicly expressed its allegiance with Putin’s government, and has launched multiple DDoS attacks against Russia’s enemies since the war in Ukraine began. In November it hit the European Parliament, shutting its website down for several hours. It has also targeted other allies of Ukraine during the war, including Lithuania and Japan. DDoS attacks are relatively simple to launch, but are far less damaging than other types of cyberattacks.

Earlier this month the gang publicly threatened to bring down the entire European banking network, via a video in conjunction with Anonymous Sudan and REvil, though no attack was reported.

In an interview with the Russian news site Lenta, a leading member of the gang known as Killmilk claimed that the collective consists of “roughly 4,500 people” organised into various subgroups. While these subgroups operate independently, they occasionally coordinate their activities. Killnet has also claimed to have 280 members in the US, attributing an attack on Boeing to their US “colleagues”, states a report by security company Flashpoint.

Read more: Killnet claims Lockheed Martin DDoS attack