Hakuna Matata

Hakuna Matata is a ransomware family observed in a high-severity, multi-stage Windows phishing campaign primarily targeting users and organizations in Russia. In the reported activity, a Hakuna Matata-derived payload was delivered after initial access via Russian-language business/accounting-themed archive files containing malicious LNK shortcuts. The infection chain used native Windows components including PowerShell, VBScript, registry changes, and file association hijacking rather than software exploits. The campaign fetched staged payloads from public services including GitHub and Dropbox, used repeated UAC prompts for elevation, disabled Microsoft Defender through PowerShell and registry changes, and abused the Defendnot tool to register a fake antivirus and suppress Defender. Associated payloads included reconnaissance and screenshot capture modules exfiltrating via the Telegram Bot API, plus Amnesia RAT for remote access and theft of browser, Telegram, Discord, Steam, and cryptocurrency wallet data. The Hakuna Matata-derived ransomware stage was identified as WmiPrvSE.scr. It encrypted numerous file types including documents, source code, and application assets; renamed encrypted files with the extension @NeverMind12F; dropped a ransom note named ЧИТАЙМЕНЯ.txt; changed the desktop wallpaper; and hijacked the clipboard to replace cryptocurrency wallet addresses. Reporting also states it terminated processes associated with databases, office/email clients, virtualization platforms, and security tools before encryption, disabled recovery using reagentc, wbadmin, and vssadmin, and in some cases was paired with a WinLocker component (gedion.scr) that locked the desktop and instructed victims to contact the attacker via Telegram. High-confidence artifacts mentioned in the reporting include the ransomware payload name WmiPrvSE.scr, encrypted-file extension @NeverMind12F, ransom note ЧИТАЙМЕНЯ.txt, and Telegram-based victim contact instructions.