Avengers ransomware strikes Scammers to destroy their networks

Although the malicious hacking community is huge, it is fair to mention that there are also hackers dedicated to protecting less experienced users in the world of cybersecurity. Specialists in a hacking course detected hacking group that has been doing justice on their own, attacking organizations dedicated to Internet scams, ransomware infections and denial-of-service (DDoS) attacks.

 According to a message posted on Twitter, this group, self-appointed CyberWare, was created for the specific purpose of attacking online scammers. “This is a ransomware we invented to send to scammers,” the group mentions in a post, referring to the MilkmanVictory encryption malware variant.

A group of hacking course experts managed to contact CyberWare members to learn more about their attack campaign against specific hacker groups. “In these campaigns, users are told that they will receive a loan, although they must first pay a kind of guarantee. In the end, the victims do not receive the promised loan and lose the money sent,” the hackers said. Part of these attacks has to do with messages sent via email (phishing) that contain executables. Hackers also deploy denial-of-service attacks to collapse websites, the hacking course experts mention.   

CyberWare hackers claim that criminals also distribute ransomware, although in reality the malware they use it works more as a file removal tool, as CyberWare members believe that hackers don’t even have the decryption keys for the ransomware they use in their attacks.  

In retaliation, CyberWare also sends a ransomware to criminals. The malware used by this group also does not have a decryption key, so the systems used by the hackers would be definitively encrypted. Instead of the traditional ransom note, the criminals find a message from CyberWare mentioning “You’re a Scammer”. In this regard, the watchful hackers mention: “We don’t ask for money because the scammers don’t deserve to pay a ransom in exchange for recovering your files. Thousands of innocent people fall into their traps, this must end.”

The hacker group claims that one of its newest victims is Lajunen, a German-based loan firm, whose website is inactive after being targeted by DDoS attacks and ransomware infections. CyberWare mentions that the ransomware is based on HiddenTear, meaning it can be decrypted using brute force.

According to the International Institute for Cyber Security (IICS), the firm has already been questioned about it, although it has not issued official statements. Users who have suffered an infection with the HiddenTear variant can recover their files for free using the decryption tool available in No More Ransom.