Slashdot Mirror
Windows Malware Poses As Ransomware, Just Deletes Victims' Files (slashgear.com)
An anonymous reader writes: Ranscam, a ransom malware reported by Cisco's Talos Security Intelligence group, claims to have encrypted victims' files and hold them for ransom, but in actuality it has already deleted those files and is simply trying to trick its victims into paying to recover files that are no longer there anymore. SlashGear reports: "Most ransomware follow a similar tactic once they get control of a computer or mobile device. They encrypt certain files, personal documents are a favorite, and then display a message instructing the user to pay, usually with bitcoins, to receive the decryption key to save their files. Ranscam, however, is completely without honor, as much honor as you can find among thieves and scam artists. It claims to have encrypted the users' files and then makes the usual demand. However, it adds an additional threat. For each time the user clicks on the 'payment sent' button but no payment was received, it threatens it will delete a file. That, however, is a total farce. In truth, files have already been deleted, so whether the victim pays or not is moot. The perpetrators don't have any way to recover those deleted files anyway. Also, the threats it flashes users are simply static images fetched from a remote server. Users might just as well be clicking on a two-slide presentation. The good news is that reported Ranscam infections are small, according to Cisco's Talos Security Intelligence group."
The way ransomware works is it builds trust with the victims that they will get their stuff back if they pay. This kind of slimyness by ransomware will make people even more reluctant to pay. If people don't pay for ransomware, ransomware will be less of a problem because the people making it don't get what they want, similar to how the US govt doesn't pay ransoms to terry wrists.
Exactly. While this sucks for any individuals, this is a good thing in the long run if it grows. Not only will it teach people not to pay the ransom, but it, like all ransom ware will teach people to backup their damn files.
Still, I don't see it being lucrative, as regular ransomware has a better chance of getting the ransom.
Seriously, this malware is less evil. Provided the files haven't been overwritten, just deleted, they can be recovered. It's far far easier to recover a deleted file than an encrypted one.
Your computer is infected. Paying could result in any behaviour including:
- Recovery of all files
- Recovery of some files and more extortion.
- Deletion of everything
- Attempt to install further malware and spread...which in turn could do anything from steal your identity or money to destroying your hardware
Paying and letting the malware continue to run is an act of desperation. The perpetrators should be hunted down like the animals they are and kept in a cage for the rest of their life.
While the FBI teaches victims to pay the ransom, the hackers pick up the job of teaching people an important lesson, "never give in to extortion."
I guess most of the "harm" the ransomware cause is to them. They simply make less money now that this reputation is out. Making less money means having less money. Having less money means they can't afford buying stuff like hacked computer access or paying programmers. Means they'll go out of business pretty soon.
Only those malware authors survive which actually pay back the ransom.
Why not? It is way simpler to write and requires no infrastructure to hold and release keys, etc. If you are crook who would create ransomware you don't have any honour anyway. Of course if this gets more popular, fewer people will be inclined to pay anything since chances of getting files back won't look so good, but criminals are in it for quick buck anyway.
Well sometimes its smarter to give in to extortion. Only you know how important your files are, and if there is a chance to get them back, you can decide yourself whether you want to get them or not. All you can lose in the situation is the ransom money. Yes, you might lose both the money and the files, but the ransomware author has an interest to give you back your files so that you tell others that paying the ransom gives your the files.
The problem about saying "NEVER" give in to extortion is that the border between extortions and deals is thin, and it often differs between the people doing these deals. In the most extreme case, everything can be seen as extortion what the "victim" of the extortion thinks.
NPR's Planet Money economics podcast did an episode on this very issue.
I can't find the original full podcast episode, but here's the shorter All Tech Considered version.
W
-------------------
This is my SIG. There are many like it, but this one is mine.
They paid Dan "D. B." Cooper $200k...
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
..have ANY sort of moral compass? Are they complete sociopaths? Using encrypted files as blackmail is bad enough, but just deleting someones personal files altogether is just sick.
Meta malware?
The Cooper hijacking was in 1971. The "U.S. will not yield to blackmail" doctrine was instated by Carter during the 1980 Iranian hostage crisis.
Whenever a seriously efficient Dark Lord manages to establish an empire of subjugation and terror, the stupid copycats who try to follow their steps manage to ruin the strategy and make it useless.
Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
In the end though, if you are stupid enough to give in to extortion that you could have prevented by having a simple backup. which you kinda really should have had regardless. youre fucking over the rest of humanity with it. If nobody paid, these things wouldnt be constantly hammering mailservers worldwide
Didn't you see Journeyman? The Cooper hijacking was by a time-traveler.
Idiots like you are why this "faux ransomware" is actually better than the real thing. The reason why you don't give in to extortion is very similar to the reason for vaccinations. Extortions happen because people pay up. Without the reward, the risk of getting caught dominates and the criminal doesn't do it. The guy I helped with the aftermath of a ransomware infection last week lost his files because somebody else paid the criminals. Giving in to extortion should be a crime.
We all know that malware authors are the scum of the earth. However, putting them in prison is a waste. Taxpayers get stuck paying for those prisons and it's a drain on society. I personally don't feel like paying anything for the scum that writes malware. Fortunately, I have and better idea: restitution. If files can be recovered, the restitution is the ransom, punitive damages for the lost time and productivity, and interest. If the files can't be recovered, then the cost includes compensation for the lost data, which could be a lot more expensive. Allow them to live in cheap housing, eat meals, and have basic needs covered like clothing, electricity, water, and sanitation. Require the criminals to be employed and pay any earnings beyond the basic needs as restitution to the victims. I'd favor this punishment for most forms of white collar crime instead of prison time. It's a hole they may never escape from, yet I wouldn't feel any sympathy for the criminals.
I was thinking the same. The more people will hear this, the less willing they are to pay up. Even with the ones that don't delete the files.
First less people will reply and those who still call will need more convincing that these files are not gone.
OTOH I am sure that there will still be enough people who will be giving the money to make it interesting, I am sure. As long as they make more than they would get by not doing it, there will be a market for it.
Don't fight for your country, if your country does not fight for you.
it is, it's fiscally enabling a criminal enterprise which is covered under racketeering laws.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
Technically it's not posing as ransomware, it still is ransomware; it's demanding a ransom, regardless of whether the files are actually recoverable or not, therefore the term is still appropriate. If I kidnap your daughter and demand money in exchange for the promise of her return, that's still called a ransom, even if in reality I already killed her.
please create a new malware that give user an option to switch their OS. If they don't, delete the documents.
e.g.,
Choose your option:
(O) Install Linux on this computer and move my files (FREE)
(O) Delete all my software. (FREE)
(O) Pay 10 BTC to xxxxxxxxxxxxxx and unlock my files.
[ Next > ]
Alert: if you don't select within 10 seconds, the 2nd option will be used.
I suspect the "legit" ransomware distributors will switch from encrypting the data to a "give us money or we will send the data to everyone in your contact list" kind of threat.
At the moment ransomware isn't more threatening that buying a cheap HDD. The way to protect yourself against it is also the same.
It's hard work, however it's much easier to recover a deleted file on Windows than it is to recover an encrypted file. *If*, and that's a big if, you knew where it was.
My ism, it's full of beliefs.
You cant go messing with the perfectly decent business model of ransomware, if word gets around that paying means nothing ransomware will fall apart and no one will ever pay.
The people who created this will end up dead in a ditch somewhere. You dont fuck with the russian/chinese mob.
This is why you don't outsource the file encryption portions of your software project to the lowest bidder.
Log in or piss off.
i only deal with Ransomware that has a good reputation. So ttthhhhhbbbbppppttttt!
I guess most of the "harm" the ransomware cause is to them. They simply make less money now that this reputation is out. Making less money means having less money. Having less money means they can't afford buying stuff like hacked computer access or paying programmers. Means they'll go out of business pretty soon. Only those malware authors survive which actually pay back the ransom.
No, this is the problem with counterfeits. If "customers" of ransomware can't tell the difference between ransomware that'll return their files and those that'll don't - which I would think is a safe assumption than they don't - it'll hurt all "vendors" in the market equally. And if those who don't bother to have a decryption system operate at a lower cost/risk and thus higher margin they'll leech off the established "brand" while destroying it. Heck if I recall correctly there was one such ransomware that didn't bother doing anything at all, it simply told the customers their files was locked and some people paid simply on that belief. You're already dealing with criminals here, adding fraud to blackmail doesn't bother them.
Live today, because you never know what tomorrow brings
Well the ransomware vendors that actually offer decryption of course do this for their reputation. They have an incentive to prove to users that they are capable of decrypting files. E.g. they could let users chose three files, and those will get decrypted for free just to prove that the files are still existent.
The ransomware business model is just too god for it to vanish.
The way ransomware works is it builds trust with the victims that they will get their stuff back if they pay. This kind of slimyness by ransomware will make people even more reluctant to pay.
Maybe this is not a bad thing after all, as the ransomware business may become less lucrative if people don't pay anymore thinking their data may actually be deleted for good anyway.
Slashdot, fix the reply notifications... You won't get away with it...
How that malware works, and how does it infect those (poor) Windows machines?
Slashdot, fix the reply notifications... You won't get away with it...
You have a mental illness. Get some help before you hurt someone or yourself.
Maybe it's just me but.... there's nothing on my home machine I'd "lose" and I really don't understand what "files" people are willing to spend actual money to *maybe* recover. When it comes to industry, sure, that makes sense. But a personal computer? What are you going to lose, some photos that SHOULD have been fired off to googledrive or some other cloud backup? Your music that you can download again? Your software that you can re-install? No, the ransomware isn't really the problem, idiot computer users are the problem. But I agree, this is good as it should make people question paying out, which to me they should already be questioning and have already decided to not do it. "We don't negotiate with terrorists" because once you do, you will have to every single time and it will get worse and worse. Not a single thing on my pc to lose that can't be replaced WITHOUT a backup, because I don't use my pc as a personal information storage system because it connects to the internet and my ISP router that has wifi and has very limited control on my end.
You would think that law enforcement would be involved in releasing this sort of 'ransom'ware. What better way to disrupt this sort of crime industry than to discourage users from paying to recover access?
The way ransomware works is it builds trust with the victims that they will get their stuff back if they pay. This kind of slimyness by ransomware will make people even more reluctant to pay. If people don't pay for ransomware, ransomware will be less of a problem because the people making it don't get what they want, similar to how the US govt doesn't pay ransoms to terry wrists.
As seasoned IT professionals have been trying to teach users for decades now, the ultimate answer to ransomware (or pretty much any attack) is to have backups of your damn data.
If the average "It'll never happen to me" idiot user actually did that, ransomware would have never been a viable business in the first place.
The way ransomware works is it builds trust with the victims that they will get their stuff back if they pay. This kind of slimyness by ransomware will make people even more reluctant to pay.
This makes it a priority for those who create real ransomware to find and shut down the ones who make the scamsonware. It hurts the ransomware operations. I would not sleep well at night if I were someone who had developed or pushed this.
Yeah, reminds me of the freeware sites who gave these hack ads that would popup a window that has graphics imitating windows dialog that says they are scanning your drive, then they "find" child porn and threaten to turn you in unless you click the button to install something or other. Well it's very comical to see that on a Mac, and I wonder if they ever fooled any Windows users.
I guess if you are running windows you are used to such low security that it might be plausible for any website to just scan your computer for porn.
GoogleDrive ? The "Cloud" ? That's not backup. The data's no longer under *YOUR* control.
External hard drives, mirrored to a second set of drives kept offsite, is the *ONLY* reliable, secure backup solution for personal data. Relying on a third party means you're at their whim. Just look at the Professional photographer who lost his life's work because a photo backup site lost his pictures. And this was on a "Professional" backup plan (i.e. cost a decent amount of cash)
n.b. You'll have to search for this story yourself as I'm too lazy to go and search for it now.
Not under you direct control = not secure.
> While this sucks for any individuals
Actually if it only deletes files and does not overwrite them, in contrast to the cryptolockers someone with the right tools should be able to recover most data (possibly even all of it, if the computer wasn't used much). And without having to pay anyone anything.
Next we'll have look and feel suits where cryptolocker is suing ranscam for looking too much like them :)
On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
Your computer is infected. Paying could result in any behaviour including:
- Recovery of all files
- Recovery of some files and more extortion.
- Deletion of everything
- Attempt to install further malware and spread...which in turn could do anything from steal your identity or money to destroying your hardware
Paying and letting the malware continue to run is an act of desperation. The perpetrators should be hunted down like the animals they are and kept in a cage for the rest of their life.
Or dragged out into the street and have their face stomped in.....
Why not simply, "Pay up or we'll send child porn to everyone in your contact list, claiming it was yours."
The way ransomware works is it builds trust with the victims that they will get their stuff back if they pay. This kind of slimyness by ransomware will make people even more reluctant to pay. If people don't pay for ransomware, ransomware will be less of a problem because the people making it don't get what they want, similar to how the US govt doesn't pay ransoms to terry wrists.
Yeah, this must tick off the honest hijackers.
Obviously not important enough to have a backup strategy in place and obviously not important enough to have on an OS suitable for something other than playing video games at home.
The places that take things seriously have filesystem snapshots and offline backups on tape or similar. You want an MS system? Fine, just make sure the files are stored under the adult supervision of something else that can give you those snapshots etc.
Someone hacking in from outside can't fuck up your tapes on a shelf, or even better in a different building in case of fire etc.
This is such an irrelevant risk to most users - who works on any important document or files without a cloud/automatic backup these days? If you are thinking about how terrible this would be if it happened to you, then you kinda deserve it for not thinking of things like HDD failures.
It's not difficult, just really annoying, time consuming and makes you think far too long about how all that messing about could be saved if that person had listened to advice about not using MS Outlook set to automatically open attachments and not opening strange emails.
Photorec is very good. It is not fast, because when it gets down to it you are asking it to do something difficult. Filenames are of course lost but file types are know and grep plus all the rest can be used if you have a few clues about what you are looking for. Of course it turns up a vast number of files you are not looking for - a very large number of the temporary files used over years are likely to turn up.
Cool, so when a member of your family does something reprehensible you're all right with us dragging YOU out into the middle of the street and shooting you in the back of the head for the neighborhood to watch?
Reagan paying the ransom didn't work out well either. By the end it had spread from Iran to Hezbolla and classified anti-tank weapons were delivered to Hezbolla in exchange for hostages.
Now the guy who was arming Hezbolla against Israeli tanks (Oliver North) is one of the guys running the NRA - no wonder they are calling for the right for suspected terrorists to buy guns!
> While this sucks for any individuals
Actually if it only deletes files and does not overwrite them, in contrast to the cryptolockers someone with the right tools should be able to recover most data (possibly even all of it, if the computer wasn't used much). And without having to pay anyone anything.
That is fine on a spinning disc drive, but if the affected files are on an SSD you better try to get them quick before the SSD does any housekeeping tasks.
You're messin' with my Zen Thing, man.....
Having another fascist agree with him doesn't make him right. Trump has really emboldened the psychos among us.
Solution: Back up your important files. Then it doesn't matter if they are encrypted or deleted. Just reformat the drive and restore.
You guys are using automated back ups, right?
owever, putting them in prison is a waste. Taxpayers get stuck paying for those prisons and it's a drain on society.
You're right.
Medical experimentation would be a much better use for them.
Paging Dr. Mengele...
fuck that shit. Just drag their families out into the middle of the street and line them up on the median line, then walk along behind them and shoot each one in the head while making the cunt watch.
Shooting in the head is far too humane.
Nobody keeps important personal files on an AIX server. They have a laptop, they don't know how it works. They don't understand part failures anymore than you understand why you're penis gets hard occasionally.(hint, it's for sex) They don't know that a "hard drive" holds their files, they don't know that it can fail. They don't know that files can be deleted by other means than "right click and choose delete". Even if they do, they don't know how to do backups, they don't understand having "the same file" in multiple places is even a thing, let alone how to do it.
They simply don't know. It doesn't mean their files aren't important.
20 years ago — in my younger and gospel-spreading days — I set up my parents' desktops to use FreeBSD.
Since then I would, once in a while, doubt, whether it was the right decision — especially, when they asked about things like Skype or Flash, which required certain hackery to get working. Was I right imposing my choice of the OS on folks, who just wanted to "use the Internet"?
But, looking at these near-daily mal/scamware reports targeting Windows, I sure am glad, their systems are immune. Yeah, once in a while an infected web-server may hijack their Firefox window with a message about an infection in "C:\Windows", but they already know to laugh about it...
Meanwhile a friend of mine supporting his parents on regular PCs has to keep anti-virus subscriptions up to date and is still forced to reinstall the OS for them about once a year...
In Soviet Washington the swamp drains you.
The US will not pay blackmail/tribute was stated by President Jefferson, and quite possibly before
Who uses email clients anymore?
The whole concept of ransomeware is based on honesty and reasonable pricing. If the data is promptly recovered upon receipt of $49.99 in bitcoin, you have a satisfied customer who will spread the word to others to go ahead and pay a small ransom rather then dealing with, at minimum, a hassle of restoring older backups. For good measure, also crank up firewall and patch whatever exploit you used to get in to let it be known that ransom payment will make the problem go away once and for all.
Pull a trick like this and nobody is going to pay again, destroying the very industry you are trying to be in.
Because it will be known that ransomware does that and then everyone will know that the claim is bullshit. It is self-defeating.
If ransomware OTOH is known for sending the actual content of the hard drive then it will have a lot more impact.
If you have all your files backed up then you can laugh at the current gen ransomware, but if you have ever written shit about your friends/work or customers with your friends or colleagues then you can't afford to have those e-mails/chat logs to be distributed to your other friends/employer or customers.
Taking regular backups is simple, any asshat is capable of doing that. Being the kind of person Mr. Rogers want you to be is a lot harder.
1) Share out the Windows drive to a BSD/Linux/Mac server, or allow the backup server to ssh or rsync into the Windows machine. Do *NOT* give the Windows machine write access to the backup server. If it's infected, it's not trustable. It might overwrite previous good good backups.
2) Use a *VERSIONING* backup system, so that you don't over-write January's good backup with February's encrypted backup.
3) Put in a few innocent-looking "canary" files that never change. If they do change or disappear, alarm bells go off. Start looking for ransomware *NOW*.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
If it gets rid of Windows it is good.
Learn Linux it's so much smarter.
Unfortunately, backups that are connected to the system, such as those running automatically each day, are vulnerable. Is there some sort of a backup system that is normally disconnected unless a backup is being made? A robot arm that physically yanks the USB connection when not in use? Of course, malware could manipulate the robot arm. Hmm.
You.
CLI paste? paste.pr0.tips!
Clearly what we need is a means to tell apart the legitimate ransomware authors from the frauds.
I propose a certification process to determine by thorough testing the credibility of common ransomware and their authors. Passing the certification program would allow the ransomware authors to include a little logo labeled "Certified Trustworthy Ransomware System" on their main splash screen.
CLI paste? paste.pr0.tips!
Source code.
CLI paste? paste.pr0.tips!
Unfortunately, backups that are connected to the system, such as those running automatically each day, are vulnerable. Is there some sort of a backup system that is normally disconnected unless a backup is being made? A robot arm that physically yanks the USB connection when not in use? Of course, malware could manipulate the robot arm. Hmm.
This isn't entirely true. Backups that are connected to or directly accessible by the machine that contains the data you want to back up are vulnerable.
Backups that are connected to a different machine, that doesn't contain your data and isn't accessible by that machine are safe. I'm working on just such a thing, actually, as part of a remote support and management service I've been building.
"City hall" in German is "Rathaus" Kinda explains a few things......
and how many mass shootings did you read about in Soviet Russia?
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel