CyberWare hackers aim justice: DDoS and ransomware attacks on scammers

A group of hackers dubbed CyberWare arrange targeted DDoS attacks over rogue websites and spread MilkmanVictory ransomware to scammers

CyberWar attempt to fight against supposed loan scammers by attacking them with DDoS and ransomware virus

A self-appointed group of hacked dubbed as CyberWare is trying to undertake law enforcement in the fight with, as they claim, scammers, fake banks, and fake loan sites. The group resurfaced on the 16th of May when a ransomware researcher GrujaRS^[1] detected MilkmanVictory ransomware on the landscape, which turned out to be managed by the CyberWare hackers and used for supposedly targeted attacks over scammers.

The group kept in touch with the cybersecurity team members. However, they do not expatiate on what scam websites or scammers they are planning to arrange attacks or what evidence underlies their decisions. However, researchers revealed that hackers managed to arrange multiple denials of service (DDoS)^[2] attacks on over 20 supposedly “loan scam” companies, including German Lajunen Loan (a.k.a. Banwulaina, Zorgolaina, T-laina, etc.) and BDF Bank whose websites are currently down.

After cheating on hackers, scammers can expect to get MilkmanVictory ransomware

Armed by MilkmanVictory ransomware hackers seek justice over scammers who are supposedly providing rogue loan offers and trick people into paying the initial fees and finally ending up with no loan. Here's how the official slogan of the CyberWre group looks like^[3]:

We are anonymous.
We are legion.
We do not forgive.
We do not forget.
Expect us.

There’s no proof of evidence that any of the websites and people attacked by the CyberWare group’s ransomware and DDoS are guilty of scam campaigns. It seems that the group is propagating vigilantism and attempt to become real-life heroes.

While contemplating whether these guys are bad or good, it’s obvious that they are IT savvy experts who managed to create fully-functioning ransomware, which is already in the wild. Dubbed MilkmanVictory, the virus is being distributed via spearphishing emails that contain links to executables looking like PDF files.

Once the payload of the MilkmanVictory ransomware is launched, files on the infected machine get encrypted by .paradox! the file extension and the victim are presented with a text file READ_ME.txt that stands for a ransom note. The note contains the following string:

Hello!, This computer has been destroyed with the MilkmanVictory Ransomware because we know you are a scammer! CyberWare Hackers 🙂

The criminals behind this ransomware do not seem to have financial reasons. The owners of the virus do not provide conditions, ransom size, or contacts. All they state that the computer is destroyed with no way out.

The ransomware has genealogical associations with HiddenTear

According to the CyberWare gang, the MilkmanVictory ransomware is based on the HiddenTear^[4] ransomware code. The latter has been launched in 2015 and due to an open-source code it resulted in a massive outbreak.

The history of this cyber infection is rather interesting as it has first been released by a reputable Turkish programmer named Utku Sen who uploaded the payload of the HiddenTear in GitHub with an intention it will be used for educational purposes. Since the first exploitation of this virus for extorting money from people, hackers exploited the source code of the program tens of times and earned thousands of dollars.

Luckily, researchers Michael Gillespie and Fabian Wosar did a great job and after a while investigating the source code and other traits of the HiddenTear released its official decryption software^[5]. Thus, all victims that have already been attacked by the HiddenTear-based MilkmanVictory can try to restore the damaged files with official decryption software.

The campaign that the CtberWare vigilante hackers are actively promoting as an act of justice is very vague and reminds a war between cybercriminals groups.