Vigilante Hackers Target 'Scammers' with Ransomware and DDoS attacks

A hacker has been targeting 'scam' companies with denial of service and ransomware attacks. The CyberWare hacker group was seen attacking several companies with DDoS attacks and ransomware, attempting to take down their websites or wipe their data. According to the hacker contacted by security researchers, the companies being targeted are allegedly under attack because they 'deserve it' for scamming innocent people.

The ransom notes in the attacks state that the targeted computers were destroyed because the attackers 'know you are a scammer'. Companies affected by the CyberWare attacks may recover their data using decryptor tools based on Hidden Tear since the MilkVictory malware used in this case is based on it.

A New Breed of Vigilante Hackers

Chris Hauk, Consumer Privacy Champion at Pixel Privacy, shared that the attack was showing a new breed of vigilante hackers that feel they need to get revenge on companies believed to scam their users. According to Hauk, the main danger is the ambiguity of who decides which companies to target and the offense being a cause for revenge.

Javvad Malik, Security Awareness Advocate at KnowBe4, said it could be difficult to sympathize with scammers and other criminals hit by a DDoS attack or ransomware. Taking down scammers isn't a job for the average person, he said and should be left to law enforcement.
"One of the challenges with hacking bad guys is that they often operate using infrastructure that they have compromised. So, many times launching an attack against them can result in innocent victims being caught in the virtual crossfire," Malik added.

A famous example of vigilante hacking groups can be seen with Anonymous, with the loose organization operating in secret for years. The group gained fame when they took out the Daily Stormer, a right-wing activist website back in 2017. The attack on the website took place after a rally held in Charlottesville, Virginia, that turned violent. Anonymous also targeted websites run by the Ministry of Public Works and Transport in Spain, as well as the constitutional court, supporting a referendum calling for Catalonian independence from Spain.

As part of the current attacks, the threat actors send off phishing emails containing links to fake PDF files. The files are executables spreading malware. Denial of service attacks are also aimed at taking down company websites. The ransomware acting as a wiper in the attacks has no contact information and does not save an encryption key.