Researchers at Proofpoint have identified a new ransomware variant named Ransoc that uses different techniques to extort money from victims. Rather than encrypting a wide range of file types and demanding a ransom payment from the victims to supply a key to unlock data, the victims are blackmailed into making payment.
Ransomware typically locks stored data with powerful encryption. Most common file formats are locked including spreadsheets, documents, images, and database files. Users must pay the ransom demand in order to recover their files. Usually there is an incentive for the victim to act quickly. The attackers usually claim data will be permanently locked if payment is not made within the stipulated time frame – anything from a couple of days to a week after the attack.
If the ransom is paid, the attackers – in theory at least – supply a key to unlock the encryption. However, if a viable backup of the encrypted data exists, the victims can simply restore their files from the backup without having to pay a ransom. Provided of course that the backup has not also been encrypted.
The latest ransomware variant is different and the method used by the attackers makes it extremely likely that victims will pay, even if they have a viable backup of their data.
Ransoc ransomware targets pedophiles and other individuals who have illegal material stored on their computers. The ransomware is spread using malvertising on adult websites to increase the likelihood of identifying targets.
The ransomware scrapes Skype accounts and social media profiles and gathers personal information about the victim. The victim’s computer is also scanned for illegal material such as torrent files. Scans are also performed for strings associated with child pornography.
If illegal material is discovered, the attackers use a screen locker to prevent the user from gaining access to their files. The screen locker includes information that has been gathered from the victim’s social media accounts. The screen locker is customized based on the type of material found on the device and the victim is told they must pay a penalty fine for conducting illegal activities.
Victims are made to think that access to their social media accounts – and friend lists – has been gained. The users are also threatened with criminal prosecution and told they will have to face a trial if they do not pay the ransom demand. The attackers also threaten name and shame the victim by publishing the information found on the victim’s computer.
The intention is not to lock the users’ files, but to cause irreparable damage to victims’ reputations. Reputation damage is likely to be far more harmful than the loss of any illegal material on victims’ devices.
Interestingly, victims are told that if they stop their illegal online activities, their ransom payment will be refunded. Provided that the victim is not caught again within 180 days. The attackers also appear to be confident that their victims will not contact law enforcement. Ransom payments are not requested in the virtually untraceable Bitcoin currency, instead payment is made via credit card. Credit card payments can be easily traced by law enforcement but it is unlikely that the attack will ever be reported.
Ransomware that blackmails users into making payment is likely to become much more prevalent in the future as more users’ take steps to reduce risk by backing up their data.