Ranscam: The fake ransomware that erases all files
It behaves almost like a ransomware: asks for a ransom to unlock encrypted files, but were canceled. And the new threat discovered by Cisco security researchers.
Goldmine for cybercriminals, terrified of hospitals, companies and private users: are the crypto-ransomware, digital scourge, encrypted file on disk and demanding a ransom in exchange for the encryption key, he has claimed many victims in the past months.
Researchers at the Talos Security Intelligence and Research Group Cisco have now identified Ranscam, a new threat that while behaving in some places very much like a traditional ransomware cannot properly be included in this category.
Ranscam fact also asks for a ransom for the victim to re-appropriating the encrypted files, but were simply erased. Once Ranscam runs, a pop-up message that looks like that of any other ransomware. What happens, though, it is a forced reboot of the system and delete all the files, without anything being encrypted.
The Talos researchers have identified the threat on a small number of customer systems. In all circumstances, the malware showed the same message, as well as the same wallet Bitcoin address. The victim is ordered: ” You have to pay 0.2 Bitcoin (currently about $130) to unlock your computer. Your files have been moved to a hidden partition and encrypted. The basic programs on your computer have been blocked, and your computer will not work properly. Once we receive the payment in Bitcoin your computer, and your files will be reported instantly to normal. ”
The message is an image file that is received over an unsecured HTTP request, unencrypted and not obscured to a server hosted by Vitalix at Studio City, California. If you click the button after making the payment, another screen is displayed stating that the payment has not been verified, and a ” hostage ” file was deleted. Everything is absolutely misleading since there are hidden partitions and files are deleted all from within a batch script launched from an executable Windows .NET, signed using a certificate registered to a domain (reca.net) which is owned by the Italian company Cavagna Group. The script uses PowerShell to delete files from specific directories.
Researchers have tried to contact the authors of malware, using the form on the payment screen, which provided payment instructions and tips on how to buy Bitcoin. Since the wallet Bitcoin address to make the payment is the same, the researchers were able to determine that from June 29 there have been no transactions with the wallet and that, therefore, Ranscam has not yet reaped the real victims, Whereas the certificate used to sign the executable dates back to July 6, 2016. This is clearly an attempt, rather rudimentary and amateur, to exploit the fears related to ransomware threat to gather some change with the aggravating circumstance of compromise in a irreparable data of the victim.