Malware dubbed ‘ranscam’ asks for payment to unlock files, but in reality has already deleted them
Cisco’s Talos Labs has uncovered a nasty piece of malware that poses as ransomware but instead actually just deletes your files even if the ransom is paid.
The malware, which has been dubbed ‘Ranscam’ follows the conventional ransomware route by infecting a computer, encrypting the files, and then demanding a payment to unlock them.
“It lacks complexity and also tries to use various scare tactics to entice the user to paying, one such method used by Ranscam is to inform the user they will delete their files during every unverified payment click, which turns out to be a lie. There is no longer honour amongst thieves.
“Ranscam simply delete victims’ files, and provides yet another example of why threat actors cannot always be trusted to recover a victim’s files, even if the victim complies with the ransomware author’s demands.”
The researchers pointed out that some organisations tend to pay these ransoms, but nothing can be guaranteed whilst being held hostage to these criminals.
“Ranscam further justifies the importance of ensuring that you have a sound, offline backup strategy in place rather than a sound ransom payout strategy,” they said. “Not only does having a good backup strategy in place help ensure that systems can be restored, it also ensures that attackers are no longer able to collect revenue that they can then reinvest into the future development of their criminal enterprise.
It seems that an infected computer displays a ransom note that unusually says that the files have been moved to a ‘hidden encrypted partition.’ It demands 0.2 bitcoins to unlock the files, and gives the victim a button to click to verify that the payment has been paid. But it warns that one file will be deleted each time that button is clicked without payment.
“The unfortunate reality is, all of the user’s files have already been deleted and are unrecoverable by the ransomware author as there is no capability built into Ranscam that actually provides recovery functionality. The author is simply relying on ‘smoke and mirrors’ in an attempt to convince victims that their files can be recovered in hopes that they will choose to pay the ransom.
“The lack of any encryption (and decryption) within this malware suggests this adversary is looking to ‘make a quick buck’ – it is not sophisticated in anyway and lacks functionality which is associated with other ransomware such as Cryptowall.”
“As Ranscam shows, threat actors cannot simply be trusted and often use deception as a means to achieve their objective, which in this case is convincing victims to pay out,” they said. “This is because they never intended on providing a means to retrieve or recover the victim’s files in the first place.
Researchers at the University of Florida this week claimed to have developed technology that can stop ransomware attacks before they cause too much damage.
Earlier this year the gang behind the TeslaCrypt ransomware shut down their criminal operation and apologised. The gang also handed over the universal master decryption key to the malware to security researchers ESET.
ESET has previously warned that the UK was being heavily targeted by ransomware.
Are you a security pro? Try our quiz!