Researchers spotted a ransomware using clever scare tactics while targeting pedophiles.
Researchers spotted a ransomware using clever scare tactics while targeting pedophiles.

Proofpoint researchers spotted a ransomware dubbed Ransoc that uses bold tactics to target and extort pedophiles and torrent users.

While anyone with an unsecured machine may be infected, Ransoc scrapes Skype and social media profiles for personal information while it scans files and torrents for potentially sensitive information, including strings associated with child pornography in an attempt to gain more leverage on the victims who may have child pornography or other illegal files, according to a Nov 14 blog post.

The ransomware is spread via malvertising primarily fed by the Plugrush and Traffic Shop traffic exchanges on adult websites and looks to infect Internet Explorer on Windows and Safari on OS X. Once a user is infected the malware uses a screen locker displaying information from the victim's social media  and may display a customized “Penalty Notice” if the malware believes it has spotted illegal files on a user's device.

The notice also threatens to take the victim to trial and to publicly release all of the files collected by the ransomware if the victim doesn't pay. Researchers noted in the blog that the ransomware is targeting the victim's reputation rather than their files.

The malware also attempts to encourage payment by telling users their ransom will be refunded if the victim isn't caught again within 180 days.

The collection method also displayed the confidence level that the malware's authors have as it request credit card information which is easier for authorities to trace than Bitcoin or other crypto currencies. Researchers said in the post that this implies the attackers are confident victims would rather pay the ransom.

“This ransomware is unique in how it functions and the sorts of information it collects,” Proofpoint's Threat Operations Center Vice President Kevin Epstein told SC Media via emailed comments. “It's blackmail-ware rather than hostage-ware.”

The widespread use of ransomware and the increasing awareness of the malware have lead to more users backing up their files while rendering the traditional hostage-based ransomware less intimidating.

 

“If a victim has their files backed up, they can just restore the files instead of paying a ransom to decrypt them,” Epstein said. “But blackmail is a new twist -- the threat of exposing illegal or even questionable activities on professional or personal social networks may be a far more compelling way to convince victims to pay up.”

 

Epstein added that in the future attacks like these will focus on targeting the human factor with threat actors.