Researchers have identified a new scheme of ransomware called Ransoc. It is a new type of desktop locking malware that gets activated after it discovers evidence of media files downloaded via Torrents or child pornography links on the targeted computer.
Usually, ransomware tries to encrypt all files on the target computer and then sends out a ransom note explaining the demand of the attacker, which is normally to be paid in Bitcoins. Unless the ransom is paid, the attacker doesn’t give data decryption key to the victim.
Ransoc works differently from standard ransomware; it scrapes Skype and social media profiles along with scanning files and torrents for finding any sort of sensitive information. Then, it customizes a ransom note according to the identified information but does not encrypt files like other ransomware malware – It does threaten victims with bogus legal proceedings in case they fail to pay the ransom.
According to Proofpoint, the penalty notice only emerges when and if it finds some concrete evidence of child pornography or Torrents media files.
With its scraping and scanning capability, the ransomware can display correct personal data, which it takes from Skype and social media profiles. The data also includes profile pictures. The attackers have basically tried to exploit the victim’s fear of exposure and possible legal complications that may result from leaking of such sensitive information.
Proofpoint has also pointed out that it is the reputation of the victim that is actually at stake and this is what attackers are eyeing with this campaign instead of going for the usual technique of data encryption. Ransoc however, also has the capability of accessing the victim’s webcam but the functionality hasn’t been verified yet. Moreover, the ransomware demands payment through credit card, which is yet another exclusivity of this new scheme. Probably the attackers want victims to be able to pay easily without getting into the hassle of Bitcoin processing.
The company stated that this is a very “bold approach to ransom payments suggests the threat actors are quite confident that people paying the ransom have enough to hide that they will probably not seek support from law enforcement.”
Although this isn’t the first ransomware to use social engineering techniques for scaring the victim but it is definitely unique in more than one ways. It demands ransom through either the desktop or the browser and infects the system with malvertising traffic, which is targeted towards Internet Explorer on Windows and Safari on OS X.
If your system is infected with ransomware contact ‘No More Ransom’ Anti-Ransomware Portal who have protected 2,500 Ransomware victims and 1.3 million Euros since its launch in July 2016 and that also for free.