A new type of Ransomware called Ransoc that appeared earlier this month doesn’t lock a victim’s files and demand money to have them decrypted. Instead, it scans an infected computer for evidence of child pornography or illegal media downloads through Torrents and attempts to blackmail the user if it does find questionable material. That’s not the only thing Ransoc does differently compared to other ransomware families. Here’s what you need to know.
Security vendor Proofpoint recently analysed the newly discovered Ransoc to understand its unusual behaviour. It is believed to spread through malicious advertising online, mainly through dubious adult websites.
Most ransomware, when it gets onto a computer, will encrypt files and asks the user to pay for the files to be unlocked. Ransoc doesn’t do that at all.
What this ransomware does is perform an IP check and sends all of its traffic through the Tor network. It scans local media file names for string associated with child pornography and illegally downloaded copyright content. If it does find files names that matches specific strings, it will trigger a ‘penalty notice’ within a full-screen web browser that users can’t get rid of.
Ransoc prevents users from getting rid of the notice by checking regedit, msconfig, and taskmgr ever 100 milliseconds, killing the processes before they have a chance to disable it. There is, however, a workaround, according to Proofpoint: “Ransoc only uses a registry autorun key to persist, though, so rebooting in Safe Mode should allow users to remove the malware.”
The penalty notice threatens to expose all collected data to the public. What makes it more convincing is the fact that Ransoc also pulls information from a victim’s social media accounts and displays them on the notice:
Proofpoint noted that it seems to target users of Internet Explorer on Windows and Safari on OS X. The company also highlighted that Ransoc is unusual in that it accepts payment by credit card, which is uncommon given that they can be tracks more easily by law enforcement. This shows that the cybercriminals behind the ransomware are quite confident that victims will keep quiet about the attack.
Proofpoint said:
“By incorporating data from social media accounts and Skype profiles Ransoc creates a coercive, socially engineered ransom note to convince its targets that they are in danger of prosecution for their browsing habits and the contents of their hard drives. With bold approaches to collecting payments, the threat actors appear confident in their targeting, introducing new levels of sophistication to ransomware distribution and monetisation.”
Comments