Brazen desktop locker campaign uses social media info to make its threat more compelling to victims.
A newly discovered form of ransomware scrapes the social media accounts and local files of victims in order to tailor a customised demand, and threatens court action if it isn't paid.
Dubbed 'Ransoc' by cybersecurity researchers at Proofpoint due to its connection with social media including Facebook, LinkedIn, and Skype, this ransomware represents yet another evolution of the malicious software which has boomed during 2016.
It isn't the first ransomware variant to use social engineering in an attempt to scare the victim into paying up, but Ransoc is unique in how it attempts to turn the users' files against them -- especially if illegally downloaded files are on the system.
Perhaps because it focuses on exploiting this fear, Ransoc doesn't encrypt the victims' files in the same way as ransomware like Locky does, but rather makes its demands via the desktop or browser after infecting the system through malvertising traffic aimed at Internet Explorer on Windows and Safari on OS X.
Ransoc browser locker
It might appear basic or dated compared to more sophisticated forms of ransomware -- desktop locking malware saw its heyday between 2012 and 2014 -- but Ransoc is built to search the victim's hard drive and social media accounts for data to use in its scheme.
That data will then be used to tailor a ransom note featuring images from their Facebook and LinkedIn accounts disguised as a threat of legal action against the victim
Indeed, Proofpoint researchers discovered one variant of the penalty notice is only displayed when Ransoc suspects the victim has files containing illegal images or media files downloaded via torrents.
In this case, Ransoc threatens the victim into paying a fine, or face the risk of any files being made public in a court case.
Ultimately, Ransoc is preying on the victim's reputation rather than their files.
Unlike the majority of ransomware schemes, which now demand payments in the untracable Bitcoin cryptocurrency, those behind Ransoc have opted to make victims pay with their credit card.
Ransoc demands a payment via credit card, not Bitcoin.
To encourage payment, the actors behind Ransoc say they'll send the money back if the victim isn't caught again in 180 days -- but obviously the money never returns.
How to remove the Ransoc desktop locker
Ransoc checks every 100ms if the user has started applications such as Task Manager, RegEdit, and MSConfig, and kills the processes before the user can remove the ransom note from his screen.
Users infected with Ransoc may be happy to hear that there's a way to remove the desktop locker and regain access to their PC.
All they have to do is to reboot the PC in Safe Mode and find and remove a Windows Registry keys that allow the ransomware to start with every PC boot. The registry key is:
The registry key value that Proofpoint saw in active Ransoc installs was a shortcut file named JavaErrorHandler.lnk.
A victim can also look at the properties of this shortcut file to determine what malware executable it is pointing to.
You can then use this information delete the executable associated with Ransoc.
Source:
http://www.zdnet.com/article/this-r...ia-profiles-to-personalise-its-ransom-demand/
http://www.bleepingcomputer.com/new...orts-users-who-accessed-questionable-content/
A newly discovered form of ransomware scrapes the social media accounts and local files of victims in order to tailor a customised demand, and threatens court action if it isn't paid.
Dubbed 'Ransoc' by cybersecurity researchers at Proofpoint due to its connection with social media including Facebook, LinkedIn, and Skype, this ransomware represents yet another evolution of the malicious software which has boomed during 2016.
It isn't the first ransomware variant to use social engineering in an attempt to scare the victim into paying up, but Ransoc is unique in how it attempts to turn the users' files against them -- especially if illegally downloaded files are on the system.
Perhaps because it focuses on exploiting this fear, Ransoc doesn't encrypt the victims' files in the same way as ransomware like Locky does, but rather makes its demands via the desktop or browser after infecting the system through malvertising traffic aimed at Internet Explorer on Windows and Safari on OS X.
Ransoc browser locker
It might appear basic or dated compared to more sophisticated forms of ransomware -- desktop locking malware saw its heyday between 2012 and 2014 -- but Ransoc is built to search the victim's hard drive and social media accounts for data to use in its scheme.
That data will then be used to tailor a ransom note featuring images from their Facebook and LinkedIn accounts disguised as a threat of legal action against the victim
Indeed, Proofpoint researchers discovered one variant of the penalty notice is only displayed when Ransoc suspects the victim has files containing illegal images or media files downloaded via torrents.
In this case, Ransoc threatens the victim into paying a fine, or face the risk of any files being made public in a court case.
Ultimately, Ransoc is preying on the victim's reputation rather than their files.
Unlike the majority of ransomware schemes, which now demand payments in the untracable Bitcoin cryptocurrency, those behind Ransoc have opted to make victims pay with their credit card.
Ransoc demands a payment via credit card, not Bitcoin.
To encourage payment, the actors behind Ransoc say they'll send the money back if the victim isn't caught again in 180 days -- but obviously the money never returns.
How to remove the Ransoc desktop locker
Ransoc checks every 100ms if the user has started applications such as Task Manager, RegEdit, and MSConfig, and kills the processes before the user can remove the ransom note from his screen.
Users infected with Ransoc may be happy to hear that there's a way to remove the desktop locker and regain access to their PC.
All they have to do is to reboot the PC in Safe Mode and find and remove a Windows Registry keys that allow the ransomware to start with every PC boot. The registry key is:
The registry key value that Proofpoint saw in active Ransoc installs was a shortcut file named JavaErrorHandler.lnk.
A victim can also look at the properties of this shortcut file to determine what malware executable it is pointing to.
You can then use this information delete the executable associated with Ransoc.
Source:
http://www.zdnet.com/article/this-r...ia-profiles-to-personalise-its-ransom-demand/
http://www.bleepingcomputer.com/new...orts-users-who-accessed-questionable-content/
