ProofPoint researchers have discovered a new ransomware variant named ‘Ransoc', a new desktop locking ransomware which is triggered when it finds potential evidence of child pornography or media files downloaded via Torrents on the target machine.
While most ransomware encrypts a victim's files and demands that a ransom be paid in Bitcoins to decrypt them, Ransoc scrapes Skype and social media profiles for personal information while it scans files and torrents for potentially sensitive information.
This is so it can customise the penalty notice based on what it finds, instead of encrypting files, and then threatens victims with fake legal proceedings if they fail to pay the ransom.
ProofPoint has said that this penalty notice only appears if the malware finds potential evidence of child pornography or media files downloaded via Torrents. Adding, “If we manually changed file names to match specific strings, we were able to trigger the penalty notice.”
Thanks to the scraping and scanning the ransomware does, it is able to display accurate personal data captured from Skype and social media profiles, including profile photos.
It threatens to expose the collected "evidence" to the public, with legitimate social profile information being used as a social engineering lure to convince victims that sensitive information may actually be at risk of exposure.
Unlike most ransomware variants, ProofPoint points out that the target here is the victim's reputation rather than their files. The researchers claim that Ransoc also includes capabilities that may allow it to access a victim's webcam, although it did not verify this functionality.
Finally, Ransoc asks for payment via credit card. Credit card payment is almost unheard of in ransomware schemes. While it removes the hassle and confusion for many victims associated with Bitcoin processing, it also potentially allows law enforcement to trace activity back to the cyber-criminal more easily.
ProofPoint said, “This fairly bold approach to ransom payments suggests the threat actors are quite confident that people paying the ransom have enough to hide that they will probably not seek support from law enforcement.”