Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Malware Poses As Ransomware, Just Deletes Victims' Files (slashgear.com)

Posted by BeauHD on from the wanna-be-ransomware dept.

An anonymous reader writes: Ranscam, a ransom malware reported by Cisco's Talos Security Intelligence group, claims to have encrypted victims' files and hold them for ransom, but in actuality it has already deleted those files and is simply trying to trick its victims into paying to recover files that are no longer there anymore. SlashGear reports: "Most ransomware follow a similar tactic once they get control of a computer or mobile device. They encrypt certain files, personal documents are a favorite, and then display a message instructing the user to pay, usually with bitcoins, to receive the decryption key to save their files. Ranscam, however, is completely without honor, as much honor as you can find among thieves and scam artists. It claims to have encrypted the users' files and then makes the usual demand. However, it adds an additional threat. For each time the user clicks on the 'payment sent' button but no payment was received, it threatens it will delete a file. That, however, is a total farce. In truth, files have already been deleted, so whether the victim pays or not is moot. The perpetrators don't have any way to recover those deleted files anyway. Also, the threats it flashes users are simply static images fetched from a remote server. Users might just as well be clicking on a two-slide presentation. The good news is that reported Ranscam infections are small, according to Cisco's Talos Security Intelligence group."

15 of 118 comments (clear)

  1. This is actually a good thing in the big picture. by shione · · Score: 5, Interesting

    The way ransomware works is it builds trust with the victims that they will get their stuff back if they pay. This kind of slimyness by ransomware will make people even more reluctant to pay. If people don't pay for ransomware, ransomware will be less of a problem because the people making it don't get what they want, similar to how the US govt doesn't pay ransoms to terry wrists.

  2. this malware is less evil by Anonymous Coward · · Score: 3, Insightful

    Seriously, this malware is less evil. Provided the files haven't been overwritten, just deleted, they can be recovered. It's far far easier to recover a deleted file than an encrypted one.

    1. Re:this malware is less evil by NotInHere · · Score: 4, Informative

      Provided the files haven't been overwritten, just deleted, they can be recovered

      Unfortunately, it doesn't look like that. From TFS:

      The script also performs several other destructive actions on the infected system, including the following:

      * Deleting the core Windows executable responsible for System Restores
      * Deleting shadow copies
      * Deleting several registry key associated with booting into Safe Mode
      * Setting registry keys to disable Task Manager
      * Setting the Keyboard Scancode Map

    2. Re: this malware is less evil by Anonymous Coward · · Score: 3, Interesting

      I don't see anything indicating the data is overwritten on the disk. If the ransomware deleted the files and then zeroed out those sectors, the files would be unrecoverable. However, the article doesn't indicate that such blanking occurs. It doesn't sound like this ransomware is sophisticated enough to do that. If you can shut the system down before your files are overwritten and then mount it read only from another system, you can certainly scan the disk for deleted files and recover your data.

    3. Re: this malware is less evil by sbrown7792 · · Score: 2

      I've used Runtime's "GetDataBack" software a few times and every time I've recovered ~90% of the original data, even when I ran it from the same system that the deletion happened on.

      If your data is super important and you don't have a backup for some reason, you could always ship off to DriveSavers. I'm sure they'll be super appreciative that the malware simply deleted the files and didn't encrypt them in place.

  3. Fighting the good fight that the FBI has abandoned by Anonymous Coward · · Score: 2, Insightful

    While the FBI teaches victims to pay the ransom, the hackers pick up the job of teaching people an important lesson, "never give in to extortion."

  4. Re:This is actually a good thing in the big pictur by NotInHere · · Score: 2

    I guess most of the "harm" the ransomware cause is to them. They simply make less money now that this reputation is out. Making less money means having less money. Having less money means they can't afford buying stuff like hacked computer access or paying programmers. Means they'll go out of business pretty soon.

    Only those malware authors survive which actually pay back the ransom.

  5. To Pay Or Not To Pay? by VValdo · · Score: 4, Informative

    NPR's Planet Money economics podcast did an episode on this very issue.

    I can't find the original full podcast episode, but here's the shorter All Tech Considered version.

    W

    --
    -------------------
    This is my SIG. There are many like it, but this one is mine.
  6. Re:Do the people who write this software... by Kjella · · Score: 2

    Do the people who write this software have ANY sort of moral compass? Are they complete sociopaths? Using encrypted files as blackmail is bad enough, but just deleting someones personal files altogether is just sick.

    Oh, these people aren't even close to the top of the sociopath scale. This is just the "make profit on faceless victims, haven't met them and don't give a shit" level like owning a sweatshop or slave plantation. The true sociopaths see your pain and suffering and still don't give a shit like rapists and serial killers. Or worse yet, thrive on it. Heck, I'd say these guys don't even reach the level of Nigeria scammers that'll rob you blind and put you in debt for life. Sure, in Internet hyperbole I'd like them in front of an execution squad along with all the other spammers, frauds and malware authors but I'd still reserve a few circles of hell for the truly nasty people. And while they're maybe one a in million, these garden variety sociopaths are maybe one in a thousand so multiply by 7 billion. There will be a few...

    --
    Live today, because you never know what tomorrow brings
  7. Re:This is actually a good thing in the big pictur by Kjella · · Score: 2

    I guess most of the "harm" the ransomware cause is to them. They simply make less money now that this reputation is out. Making less money means having less money. Having less money means they can't afford buying stuff like hacked computer access or paying programmers. Means they'll go out of business pretty soon. Only those malware authors survive which actually pay back the ransom.

    No, this is the problem with counterfeits. If "customers" of ransomware can't tell the difference between ransomware that'll return their files and those that'll don't - which I would think is a safe assumption than they don't - it'll hurt all "vendors" in the market equally. And if those who don't bother to have a decryption system operate at a lower cost/risk and thus higher margin they'll leech off the established "brand" while destroying it. Heck if I recall correctly there was one such ransomware that didn't bother doing anything at all, it simply told the customers their files was locked and some people paid simply on that belief. You're already dealing with criminals here, adding fraud to blackmail doesn't bother them.

    --
    Live today, because you never know what tomorrow brings
  8. Not difficult at all, but ... by dbIII · · Score: 2

    It's not difficult, just really annoying, time consuming and makes you think far too long about how all that messing about could be saved if that person had listened to advice about not using MS Outlook set to automatically open attachments and not opening strange emails.
    Photorec is very good. It is not fast, because when it gets down to it you are asking it to do something difficult. Filenames are of course lost but file types are know and grep plus all the rest can be used if you have a few clues about what you are looking for. Of course it turns up a vast number of files you are not looking for - a very large number of the temporary files used over years are likely to turn up.

  9. Re: This is actually a good thing in the big pictu by barc0001 · · Score: 2

    Cool, so when a member of your family does something reprehensible you're all right with us dragging YOU out into the middle of the street and shooting you in the back of the head for the neighborhood to watch?

  10. Re:This is actually a good thing in the big pictur by dbIII · · Score: 2

    Reagan paying the ransom didn't work out well either. By the end it had spread from Iran to Hezbolla and classified anti-tank weapons were delivered to Hezbolla in exchange for hostages.
    Now the guy who was arming Hezbolla against Israeli tanks (Oliver North) is one of the guys running the NRA - no wonder they are calling for the right for suspected terrorists to buy guns!

  11. Re:This is actually a good thing in the big pictur by bev_tech_rob · · Score: 2

    > While this sucks for any individuals

    Actually if it only deletes files and does not overwrite them, in contrast to the cryptolockers someone with the right tools should be able to recover most data (possibly even all of it, if the computer wasn't used much). And without having to pay anyone anything.

    That is fine on a spinning disc drive, but if the affected files are on an SSD you better try to get them quick before the SSD does any housekeeping tasks.

    --
    You're messin' with my Zen Thing, man.....
  12. Re:Do the people who write this software... by fustakrakich · · Score: 2

    untouchable by the USA

    You'll have to get outside the solar system, at least.. Right now Jupiter, Saturn, Mars, and Pluto, and even the sun are under surveillance.

    --
    “He’s not deformed, he’s just drunk!”