A few days after defacing the BJP party’s official J&K state website, Team Kerala Cyber Warrior has struck again, and this time their targets were Pakistani websites. KCW reportedly infected multiple sites with a ransomware and tried to extort money to decrypt the files.
According to a report from Bleeping Computer, the group is targeting Pakistan websites and seeding what is called the KCW Ransomware which encrypts the website content, which can only be recovered with a decryption key after the owner pays the ransom.
The hack was spotted by Twitter user @nullcookies, who also submitted a few screenshots of a defaced website along with the encrypted files, all of which come with the ‘.kcwenc’ extension. FAn accessory file named ‘kcwdecrypt.php’ is left in the website’s file storage system after the attack, which contains details about how the victim can contact the group and recover the files after paying the ransom amount.
Anyone familiar with ransomware that encrypts web files and then appends file names names with .kcwenc? Interesting story behind it involving Indian cyber-vigilantes compromising Pakistani web hosts. A complete mess dev-wise, but cool backstory. Hadn't seen this before today. pic.twitter.com/yrPljBTPoP
— nullcookies (@nullcookies) April 25, 2018
KCW’s attacks in the past have been motivated by a political or social incident, but in this case, there does not seem to be any sign of such an agenda here. However, this is not the first time they have targeted a Pakistan website, as the group also defaced the homepage of the Pakistan Academy for Rural Development’s website to protest the death sentence given to Kulbhushan Jadhav by a military court back in 2017. Moreover, the group also claimed to have hacked 50 websites based out of Pakistan on the eve of Independence Day in 2016.
