{
	"id": "45537601-1855-4e9e-81dc-dfa7a76a4055",
	"created_at": "2026-04-06T00:08:45.114367Z",
	"updated_at": "2026-04-10T03:20:19.76284Z",
	"deleted_at": null,
	"sha1_hash": "545d3ea8be8a9e5dd29ec871e97580fdcf604ff0",
	"title": "Ransomware Roundup – New Vohuk, ScareCrow, and AERST Variants",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63613,
	"plain_text": "Ransomware Roundup – New Vohuk, ScareCrow, and AERST\r\nVariants\r\nPublished: 2022-12-08 · Archived: 2026-04-05 20:29:13 UTC\r\nOn a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining\r\ntraction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers\r\nwith brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those\r\nvariants.\r\nThis latest edition of the Ransomware Roundup covers Vohuk, ScareCrow, and AERST ransomware.\r\nAffected platforms: Microsoft Windows\r\nImpacted parties: Microsoft Windows Users\r\nImpact: Encrypts files on the compromised machine and demands ransom for file decryption\r\nSeverity level: High\r\nVohuk Ransomware\r\nLike most ransomware, the new Vohuk variant encrypts files on compromised machines and tries to extort money\r\nfrom victims. Its dropped ransom note, “README.txt”, asks victims to contact the attacker via email with a\r\nunique ID assigned to each victim. As seen in the ransom note, this Vohuk ransomware variant is version 1.3,\r\npotentially indicating that the attacker has updated the ransomware several times.\r\nFiles encrypted by Vohuk ransomware have a “.Vohuk” file extension. It also replaces file icons with a red lock\r\nicon.\r\nThe ransomware also replaces the desktop wallpaper with its own.\r\nThe ransomware leaves a distinctive mutex, “Global\\\\VohukMutex”, which prevents different instances of Vohuk\r\nransomware from running on the same system.\r\nBased on the file submission locations to VirusTotal, Vohuk ransomware has primarily affected Germany and\r\nIndia.\r\nScareCrow Ransomware\r\nScareCrow is another typical ransomware that encrypts files on victims’ machines. Its ransom note, also titled\r\n“readme.txt”, contains three Telegram channels that victims can use to speak with the attacker. While no financial\r\ndemand is requested in the ransom note, victims will most likely be asked to pay ransom to recover their\r\nencrypted files. At the time of this writing, those three Telegram channels were unavailable.\r\nScareCrow ransomware appears to have some similarities with the infamous Conti ransomware: both use the\r\nCHACHA algorithm to encrypt files and delete shadow copies using wmic based on shadow copy IDs. This is not\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants\r\nPage 1 of 4\n\nall that surprising because the Conti ransomware source code was reportedly leaked earlier in the year. However,\r\nthe ScareCrow threat actor put some effort into developing this ransomware variant, as our analysis found some\r\nsignificant differences. For example, Conti encrypts all command strings with one decryption routine, whereas\r\nScareCrow encrypts every string, including the name of the DLLs it loads (i.e., kernel32), the name of the APIs it\r\nuses, and even the command strings with its own decryption routine.\r\nScareCrow ransomware adds a “.CROW” file extension to affected files.\r\nScareCrow ransomware files were submitted to VirusTotal from Germany, India, Italy, the Philippines, Russia, and\r\nthe United States. This indicates that this ransomware is relatively widespread, albeit by using unknown infection\r\nvectors.\r\nAESRT Ransomware\r\nAESRT is a new ransomware strain that FortiGuard Labs recently came across. It encrypts files on compromised\r\nmachines and appends an “.AESRT” file extension to the files it encrypts. Instead of leaving a ransom note, the\r\nransomware displays a popup window that includes the attacker’s email address. It also accepts a field to enter the\r\npurchased key required to decrypt the ransomed files. The ransomware also deletes shadow copies, which inhibits\r\nthe victim’s ability to recover files.\r\nFortinet Protection\r\nFortinet customers are already protected from these malware variants through FortiGuard’s AntiVirus and\r\nFortiEDR services, as follows:\r\nFortiGuard Labs detects known Vohuk, ScareCrow, and AESRT ransomware variants with the following AV\r\nsignatures:\r\nVohuk ransomware\r\nW32/Ransom.FYWDOCB!tr.ransom\r\nW32/Filecoder.OKE!tr.ransom\r\nW32/Filecoder.RTH!tr.ransom\r\nScareCrow ransomware\r\nW32/Conti.F!tr.ransom\r\nAESRT ransomware\r\nMSIL/Filecoder.ACE!tr.ransom\r\nW32/Filecoder.ACE!tr.ransom\r\nIOCs\r\nVohuk ransomware\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants\r\nPage 2 of 4\n\nf570a57621db552526f7e6c092375efc8df2656c5203209b2ac8e06a198b8964\r\n339a6e6e891d5bb8f19a01f948c352216e44656e46f3ee462319371fd98b3369\r\n5af5401f756753bebec40c1402266d31cb16c3831cb3e9e4fe7f8562adadeee7\r\nScareCrow ransomware\r\n7f6421cdf6355edfdcbddadd26bcdfbf984def301df3c6c03d71af8e30bb781f\r\na4337294dc51518284641982a28df585ede9b5f0e3f86be3c2c6bb5ad766a50f\r\nbcf49782d7dc8c7010156b31d3d56193d751d0dbfa2abbe7671bcf31f2cb190a\r\nAESRT ransomware\r\n05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f\r\nb6743906c49c1c7a36439a46de9aca88b6cd40f52af128b215f808a406a69598\r\nFortiGuard Labs Guidance\r\nDue to the ease of disruption, damage to daily operations, potential impact to an organization’s reputation, and the\r\nunwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS\r\nsignatures up to date.\r\nSince the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet\r\nsolutions designed to train users to understand and detect phishing threats:\r\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness\r\nand vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted\r\nphishing attacks.\r\nOur FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed\r\nto help end users learn how to identify and protect themselves from various types of phishing attacks and can be\r\neasily added to internal training programs.\r\nOrganizations will need to make foundational changes to the frequency, location, and security of their data\r\nbackups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with\r\ndigital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks\r\ncan come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices;\r\nadvanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware\r\nmid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and\r\nresources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a\r\nsuccessful ransomware attack.\r\nAs part of the industry's leading fully integrated Security Fabric, delivering integration and automation across\r\nyour security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.\r\nBest Practices include Not Paying a Ransom\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants\r\nPage 3 of 4\n\nOrganizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom\r\npartly because payment does not guarantee that files will be recovered. According to a U.S. Department of\r\nTreasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to\r\ntarget additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit\r\nactivities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a\r\nRansomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes\r\nComplaint Center (IC3).\r\nHow Fortinet Can Help\r\nFortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is\r\ndetected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare\r\nfor a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop\r\nexercises).\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nAI-powered security services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants\r\nhttps://www.fortinet.com/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants"
	],
	"report_names": [
		"ransomware-roundup-new-vohuk-scarecrow-and-aerst-variants"
	],
	"threat_actors": [],
	"ts_created_at": 1775434125,
	"ts_updated_at": 1775791219,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/545d3ea8be8a9e5dd29ec871e97580fdcf604ff0.pdf",
		"text": "https://archive.orkl.eu/545d3ea8be8a9e5dd29ec871e97580fdcf604ff0.txt",
		"img": "https://archive.orkl.eu/545d3ea8be8a9e5dd29ec871e97580fdcf604ff0.jpg"
	}
}