KCW Ransomware

The KCW Ransomware is an encryption ransomware Trojan that was released by a group calling itself 'Team Kerala Warriors' or 'Team KCW' for short. This group considers themselves White Hat hackers, who carry out attacks on websites and servers that promote sexual harassment and trafficking, those located in India particularly. This group also blocks pages linked to Pakistan's government, relating to the troubled relationship between India and Pakistan. The KCW Ransomware attacks have been reported on various websites and servers, targeting victims with political or misdeed ties that the 'Team KCW' is hunting down specifically. The KCW Ransomware, unlike most other ransomware Trojans, does not demand a ransom payment. The victim's files are lost effectively once they have been encrypted. However, the KCW Ransomware and threats like it can be adapted and used against other targets that may not commit bad actions or have political connections easily.

The KCW Ransomware Limits Its Attacks to Specific Targets

The KCW Ransomware is being used in attacks against a couple of websites that have since been taken down. Tthe KCW group itself disbanded in February 2018. However, the KCW Ransomware continues to be used against specific servers and websites, making it likely that the group is still active. The KCW Ransomware's controllers will scan the targeted website for poor security protections and then attempt to gain access through brute force guessing of login credentials and by taking advantage of known software vulnerabilities. The KCW Ransomware will target file types that are critical to the website's infrastructure, such as CSS, HTML, PHP and JS files. The KCW Ransomware also will target media files, which may include texts, videos, images and numerous others. The KCW Ransomware seems to be engineered to bring websites and servers down by the attack specifically, unlike many other encryption ransomware Trojans that are designed to encrypt individual computer users' computers and files.

What Happens after a KCW Ransomware Attack

After the KCW Ransomware has managed to attack a Web server, when someone tries to connect to the compromised Web page, the visitor is redirected to a custom Web page that contains the following error report:

'Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /home4/ztauseef/public_html/planavent.com/kcwdecrypt.php:2) in /home4/ztauseef/public_html/planavent.com/kcwdecrypt.php on line 3

Team Kerala Cyber Warriors
YOUR SITE IS INFECTED BY the KCW Ransomware
YOUR FILES HAVE BEEN ENCRYPTED
ENTER THE KEY TO DECRYPT FILES
WE ARE LEGION... WE DO NOT FORGIVE.. WE DO NOT FORGET... EXPECT US'

This is a message from the team responsible for the KCW Ransomware indicating that the victim's files were encrypted and they would not be restored effectively. The KCW Ransomware enciphers the files in a way that they will no longer be recoverable without the decryption key generated during the encryption process. There is no confirmation whether the team responsible for the KCW Ransomware attacks is who they say, or if a third party has hijacked their ideals to carry out attacks. Because of this, PC security researchers do not endorse vigilante activity and this policing type.

Dealing with a KCW Ransomware Infection

Dealing with the KCW Ransomware, as with most encryption ransomware Trojans, involves using file backups to restore access to the infected computer. PC security analysts advise computer users to format their drives and restore their servers from backup copies and backup disk images. They also should restore credentials and enable strong security measures to ensure that attacks involving threats like the KCW Ransomware are not repeated, and the vulnerabilities that allowed the KCW Ransomware to be installed are removed from the infected computer.