Proofpoint researchers have recently identified a previously unknown ransomware variant, known as “Ransoc”, which employs various techniques to extort money from its victims. As opposed to the encryption of a broad range of file types and then demanding that a ransom be paid by the victims in exchange of a key to unlock the affected data, in the case of Ransoc the victims are simply blackmailed into making payment.
In standard cases ransomware locks any stored data with a strong encryption. The majority of common file formats, e.g. spreadsheets, word and pdf documents, pictures, and database files, are locked. Users are then threatened that they must pay the ransom demand so as to recover their files. Normally there will be some form of incentive to encourage the victim to respond quickly. Ordinarily the attackers threaten that the data will remain permanently locked should payment not be made before a named date – which could be anything from two days to a week after the attack.
When the ransom has been paid, the attackers, theoretically, supply a key that can be used by the victim to unlock the encryption. Alternatively, if the victim had made a viable backup of the encrypted data that was not affected by the attack, he or she can just restore those files from the backup, avoiding the need to pay a ransom.
This most recent ransomware variant is, however, considerably different and the method employed by the attackers means that it is extremely probable that victims will pay – even in circumstances where they have retained a viable backup of the encrypted data.
The Ransoc ransomware in fact targets individuals who may have illegal files or information saved on their computers, such as paedophiles. Ransoc is spread via malvertising on pornography websites which increases the probability of identifying targets.
Ransoc scrapes Skype accounts and Facebook profiles in order to gather personal information about the target. A scan of the victim’s computer will be carried out to search for illegal material, e.g. torrent files. Furthermore, scans are performed for strings that are associated with pornographic images of children.
In the event that illegal material is discovered, the ransomer uses a screen locker to ensure that the user cannot access his or her files. The screen locker serves to highlight information that has been obtained from the hacked person’s social media accounts. The screen locker used is in fact is customized to each victim, and is based on the type of material discovered on the concerned device and the victim is advised they have to pay a fine for having engaged in illegal activities.
Victims are encouraged to believe that their social media accounts have been accessed and that knowledge of their friend lists has therefore been gained. Users may also been threatened with criminal prosecution and advised that they will be taken to trial if they fail to pay the ransom demanded. Furthermore, attackers also threaten to “name and shame” the victim by making public the information that has been discovered on the victim’s computer.
Unlike other ransomware therefore, the goal is not to encrypt the users’ files, but rather to cause enormous damage to victims’ reputations. For most people, reputation damage will be deemed to be much more harmful than the loss of any illegal material stored on their computers.
Somewhat unusually, victims have been told that if they cease their illegal online activities, the ransom payment will in fact be refunded. This offer is made with the caveat that the victim must not be caught engaging in such activity again within the following 6 months.
The attackers seem very sure that victims will not contact the police. Ransom payments have not been requested via the almost untraceable Bitcoin currency, with payment being made via credit card. It is a relatively simple procedure for investigating police officers to trace credit card payments but it is extremely unlikely that the attack will ever be reported given the circumstances.
As more users are starting to tack action to reduce risk by backing up their data it would appear that ransomware such as Ransoc, i.e. which blackmails victims into making payment, may become much more commonplace in the coming months and years.