Nukeware: New malware deletes files and zaps system settings

[Batu69]

When you've paid up, but there's nothing to unlock

Lazy but sneaky cybercrooks are slinging a new ransomware variant that falsely claims to have encrypted files when in reality it has deleted them.

Ranscam tricks victims by falsely claiming that files have been moved onto an hidden, encrypted partition.

 

In reality the malware has deleted files and comprehensively messed with system settings (removing executables associated with System Restores, deleting shadow copies, hobbling Safe Mode etc.) such that it is difficult or impossible to recover from an infection.

 

Victims are encouraged to pay a 0.2BTC ($125) ransom but in reality the crooks have no mechanism to restore compromised files. The attackers provided the same wallet address for all payments and for all samples identified by Cisco’s Talos security division.

 

The malware features a fake payment verification process that automatically returns notices of failure, possibly in the hopes that desperate victims might make a fresh payment.

 

Ranscam scam screenshot

 

The Ranscam campaign does not appear to be widespread. The threat is, nonetheless, noteworthy because it shows hows chancers and skiddies are jumping on the ransomware bandwagon.

 

“The lack of any encryption (and decryption) within this malware suggests this adversary is looking to ‘make a quick buck’ - it is not sophisticated in anyway and lacks functionality which is associated with other ransomware such as Cryptowall,” Cisco Talos researchers conclude in a blog post.

 

“While many high profile sources advise organisations and individuals to pay the ransom, Ranscam illustrates the importance of having a sound, offline backup strategy in place rather than a sound ransom payout strategy.”

 

Article source

[visualbuffs]

ransomware like

[Holmes]

Sounds like you can use a good file recovery program and delete the infection and recover your files yourself.

[D1v1n3D]

I feel that these virus's are not made by home users but by corporations and or politicians world wide corrupt governments and so forth like the good old government of USA there is just to much money to be made from this for them not to be involved. Considering Panama Papers 1 and 2 leak already proves it.

[tomm]

Ranscam is a new piece of ransomware discovered by security researchers from the Cisco Talos team that doesn't honor the unwritten rule of ransomware infections: to give the user back their files after they pay the ransom.

 

 

 

For many years, ransomware developers have strictly adhered to this rule, most of them revealing in interviews that their business would go down the drain if users lost trust in the possibility of recovering files after they pay.

 

As such, there were rare cases where crooks did not deliver on their promises to decrypt files after receiving a ransom, most of these cases being due to software bugs in the ransomware, which crooks eventually fixed in subsequent versions.

 

Unfortunately, this is not the case with Ranscam, which, in Cisco's view, is just a poorly-written product.

 

The first thing Ranscam does is to delete your files

 

The problem with Ranscam is that it deletes all your files after infecting your computer, right from the get-go. It is unknown if this is a bug or an intentional feature.

 

Ranscam not only deletes your files, but it also removes core Windows executables responsible for the System Restore feature, hard drive shadow copies, and several registry keys associated with booting into Safe Mode. Additionally, it also modifies registry keys to disable Task Manager and also alters the Keyboard Scancode Map.

 

All of these are done to make file recovery much harder, but also to prevent removing the ransomware from the infected computer.

 

Once this is done, the ransomware shows its ransom note, which is nothing more than a JPEG image with two sections at the bottom where Ranscam shows a button and a Web form.

 

Ranscam tells users their files are in a "hidden partition"

 

The ransomware informs the user that their files are encrypted and moved into a hidden partition. This is all fake. The files are actually dead and gone for minutes when the victim reads this note, and because the ransomware deletes shadow volume copies, there's no way to recover them.

 

The button mentioned above is supposed to be pushed when the victim pays the 0.2 Bitcoin ransom at a specific wallet address. Cisco says this button is fake and doesn't do anything, so paying the ransom will not help victims.

 

Only the form at the right side of the button works and sends an email to the crooks. Cisco says that, after contacting the Ranscam authors, they were extremely friendly in trying to convince them to pay the ransom. Unfortunately, no amount of kind and polite words can replace the fact that their "code" has just deleted all your personal files.

 

The good news is that Ranscam is not as widely distributed as other ransomware threats seen today, so it hasn't destroyed the lives and memories of too many users yet.

 

Source

[Batu69]

Thread has been merged.