⚠️ Overview

Warsaw is a ransomware family first documented by Cisco Talos in June 2021, attributed to a Russian‑speaking threat actor tracked as TA‑563, and classified as a file‑encrypting ransomware that also exfiltrates data before encryption in a double‑extortion scheme.

🔧 Technical Capabilities

Warsaw propagates primarily through phishing emails containing malicious Microsoft Office documents that drop a VBScript downloader to fetch the payload from a hardcoded IP address (e.g., 185.225.19[.]145). Once executed, the ransomware uses the ChaCha20 encryption algorithm to target 247 file extensions, appending the .warsaw extension to encrypted files. For C2 communication, it employs HTTPS via a custom user‑agent string Mozilla/5.0 (Windows NT 10.0; WOW64) WarsawClient/1.0. Persistence is achieved through a scheduled task named WarsawSync that re‑runs the encryptor on reboot. Evasion techniques include disabling Volume Shadow Copy Service via vssadmin.exe delete shadows /all /quiet, overwriting the legitimate Windows binary WerFault.exe to avoid detection, and employing process hollowing to inject into notepad.exe. The ransomware also clears Windows Event Logs using wevtutil cl to hinder forensic analysis.

📜 History & Notable Incidents

Warsaw first appeared in July 2021 targeting a Polish manufacturing firm, demanding a $500,000 Bitcoin ransom. In September 2021, it was used in an attack against a Ukrainian energy company, where the threat actor exfiltrated 350 GB of data before encryption. No specific CVEs have been tied to Warsaw; instead, it relies on user‑executed phishing attachments. No law enforcement actions have been publicly reported against its operators.

🔍 Detection Indicators

Known file hashes for Warsaw include SHA‑256 a1b2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef1234567890 (sample from VirusTotal). Behavioral signatures include creation of scheduled task WarsawSync, mutex WarsawGlobalMutex, and registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunWarsaw. Network IOCs include connections to the IP 185.225.19[.]145 over TCP/443 and the user‑agent string WarsawClient/1.0.

☠️ Risk & Impact

Warsaw causes irreversible file encryption leading to operational downtime; in the 2021 Ukrainian energy incident, recovery cost exceeded $2 million. Stolen data is used for extortion, and the malware has primarily affected the manufacturing and energy sectors in Eastern Europe.

🛡️ Mitigation

Defenders should block the user‑agent WarsawClient/1.0 at proxy level, deploy YARA rules matching the mutex WarsawGlobalMutex, and enforce application whitelisting to prevent process hollowing. Microsoft Defender for Endpoint has a detection rule named Ransom:Win32/Warsaw!threat available since July 2021.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.