Windows Malware Poses As Ransomware, Just Deletes Victims' Files

An anonymous reader writes: Ranscam, a ransom malware reported by Cisco's Talos Security Intelligence group, claims to have encrypted victims' files and hold them for ransom, but in actuality it has already deleted those files and is simply trying to trick its victims into paying to recover files that are no longer there anymore. SlashGear reports: "Most ransomware follow a similar tactic once they get control of a computer or mobile device. They encrypt certain files, personal documents are a favorite, and then display a message instructing the user to pay, usually with bitcoins, to receive the decryption key to save their files. Ranscam, however, is completely without honor, as much honor as you can find among thieves and scam artists. It claims to have encrypted the users' files and then makes the usual demand. However, it adds an additional threat. For each time the user clicks on the 'payment sent' button but no payment was received, it threatens it will delete a file. That, however, is a total farce. In truth, files have already been deleted, so whether the victim pays or not is moot. The perpetrators don't have any way to recover those deleted files anyway. Also, the threats it flashes users are simply static images fetched from a remote server. Users might just as well be clicking on a two-slide presentation. The good news is that reported Ranscam infections are small, according to Cisco's Talos Security Intelligence group."

This is actually a good thing in the big picture.

[shione]

The way ransomware works is it builds trust with the victims that they will get their stuff back if they pay. This kind of slimyness by ransomware will make people even more reluctant to pay. If people don't pay for ransomware, ransomware will be less of a problem because the people making it don't get what they want, similar to how the US govt doesn't pay ransoms to terry wrists.

Re: this malware is less evil

I don't see anything indicating the data is overwritten on the disk. If the ransomware deleted the files and then zeroed out those sectors, the files would be unrecoverable. However, the article doesn't indicate that such blanking occurs. It doesn't sound like this ransomware is sophisticated enough to do that. If you can shut the system down before your files are overwritten and then mount it read only from another system, you can certainly scan the disk for deleted files and recover your data.