Ransoc, simplified ransomware

Ransoc no fire ransomware

Proofpoint recently discovered a new ransomware variant dubbed Ransoc, that is distributed through malvertising campaigns on adult web sites. If you do not go to adult sites, you should be safe from this threat. If you do go to adult websites and manage to have a meetup with this new variant, and you are comfortable with the windows registry—it’s easy to remove

No encryption used

Ransoc scrapes torrents, instant messaging clients, Skype and social media profiles (Facebook, LinkedIn) for potentially sensitive user information. Though this new variant does not encrypt user files—it does threaten victims with a (customized per victim, dependent on the data found on the computer) fake legal warning if the victim refuses to pay the ransom.

ZDNet says “. . . because it focuses on exploiting this fear, Ransoc doesn’t encrypt the victims’ files in the same way as ransomware like Locky does, but rather makes its demands via the desktop or browser after infecting the system through malvertising traffic aimed at Internet Explorer on Windows and Safari on OS X.”

The twist with this ransomware—no Bitcoin needed—victims can pay up with a credit card!

Proofpoint explains at their Threat Insight blog:

By incorporating data from social media accounts and Skype profiles Ransoc creates a coercive, socially engineered ransom note to convince its targets that they are in danger of prosecution for their browsing habits and the contents of their hard drives. With bold approaches to collecting payments, the threat actors appear confident in their targeting, introducing new levels of sophistication to ransomware distribution and monetization.

Ransoc removal

Bleeping Computer advises the victim to simply reboot the computer into safe mode and locate this windows registry key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaErrorHandler

Next, look at the properties of the  registry key to determine where the malware executable is hiding and delete the file and the registry key.

Though this is not hardcore ransomware, it can generate plenty of fear for less tech-savvy users.

 


Source: Proofpoint


Leave a reply