July 13, 2016

Ranscam doesn’t care if you pay the ransom

News Security Threats

When ransomware hits, it’s natural to wonder if it might be worth paying the ransom to get your electronic life back with a minimum of hassle. At Kaspersky Lab, we do not recommend paying ransom anyway, but in the case of new ransomware called Ranscam, there’s really no point: It deletes the files regardless.

Ranscam ransomware

Threatpost reports on the new malware, noting that in contrast with recent ransomware of breathtaking proficiency, Ranscam seems either lazy or not particularly competent. A sledgehammer among scalpels.

Unfortunately, a sledgehammer is a pretty destructive tool. Whereas sophisticated ransomware aims to extract victims’ money and then, likely as not, restores the files or file systems it encrypted in the attack, Ranscam is just a scam.

How Ranscam works

The first thing users will see after the malware has found its way into their system is the ransom note. It looks like the ransom notes that other pieces of ransomware show, but with one seemingly insignificant difference. Instead of directing users to an external location where they are supposed to verify the ransom payment, this note shows a clickable button: “I made payment, please verify.”

RansomNote

In reality, the difference is very significant. Whenever a user clicks the button, a message appears, saying the payment was not verified and that one file will be deleted each time the button is pressed without the criminals behind Ranscam having been paid. That is probably supposed to make users nervous and persuade them to pay several times.

In fact it’s just a bluff — but that is not good news for the victim. The ransomware states that it has moved the user’s files into a “hidden, encrypted partition,” but in reality, it deleted them before even showing the ransom message. So there is no way to retrieve them.

As researchers at Cisco’s Talos Security Intelligence and Research Group explain, simply destroying the files means that the criminals don’t need to learn the fine points of cryptoblocking and locking.

At this point Ranscam has not been associated with any major attacks; it simply serves as a reminder that paying ransom may not work (not to mention, paying reinforces criminals’ idea that ransomware is a great way to make money).

There is no way to get back the files deleted by Ranscam; the only way to protect yourself is to be proactive. So we recommend a simple plan

  1. Don’t open attachments and don’t follow suspicious links. Not much is known about how Ranscam spreads, but the usual suspects are e-mail attachments and malicious or hacked websites. So if you aren’t 100% sure, don’t click.
  2. Back up your data regularly and store the backups on an offline storage device. If some ransomware encrypts or deletes your files, you’re covered — you have copies.
  3. Use a reliable antivirus solution. Kaspersky Internet Security detects Ranscam as Trojan-Ransom.MSIL.Agent and doesn’t give the ransomware a chance to do anything bad to your files.