Ransomware has become such a threat that a new "ransomware" variant is capitalizing on the fear of lost data. The...
new ransomware, called Ranscam, has more in common with scareware because it tricks users into believing they've been hit with ransomware, but it deletes data rather than encrypting it.
Ranscam was discovered by Edmund Brumaghin and Warren Mercer, security researchers at Cisco Talos, who said this new ransomware shares "little resemblance to some of the more established operations."
"There is no longer honor amongst thieves," Brumaghin and Mercer wrote in a blog post and this new ransomware "provides yet another example of why threat actors cannot always be trusted to recover a victim's files, even if the victim complies with the ransomware author's demands."
"[Ranscam] lacks complexity and also tries to use various scare tactics to entice the user" to pay. For example, Ranscam shows victims an image warning that all of the victim's files "have been moved to a hidden partition and crypted (sic)." The image includes a button that claims to verify payment and notifies the user that additional files will be deleted with every unverified payment attempt, but only shows a failure message when clicked.
"The unfortunate reality is, all of the user's files have already been deleted and are unrecoverable by the ransomware author as there is no capability built into Ranscam that actually provides recovery functionality," Brumaghin and Mercer wrote. "The author is simply relying on smoke and mirrors in an attempt to convince victims that their files can be recovered in hopes that they will choose to pay the ransom."
Josh Grunzweig, threat intelligence analyst for Palo Alto Networks' Unit 42, said the files are deleted via the built-in Windows delete command.
"For all intents and purposes, we can treat these files as permanently deleted," Grunzweig told SearchSecurity. "That being said, it's certainly possible that forensics may be able to extract some of these files afterwards, but there's no guarantee."
Talos noted that the makers of this new ransomware appear to not be very advanced threat actors, as shown by the re-use of one Bitcoin wallet address for all payments and for all samples, as well as coding failures.
"Currently the Ranscam campaign does not appear to be widespread and there have been no large-scale email spam campaigns currently leveraging this scareware," Brumaghin and Mercer wrote. "Ranscam shows the desire of adversaries to enter the ransomware/scareware arena. They do not need to use novel attacks or even fully functional ransomware, as seen here; this appears to be an amateur malware author and is not a sophisticated campaign."
Vitali Kremez, cybercrime intelligence analyst at Flashpoint, agreed with this assessment, but said it may be difficult for average users to recognize real ransomware from fake.
"The Ranscam ransomware campaign appears to be a short-lived operation aimed to make fast money by low-level and likely unsophisticated threat actors. Campaigns of this nature allow the attackers to easily infect victims without the need to provide secure and reliable decryption options and maintain the command-and-control infrastructure," Kremez told SearchSecurity. "Once the fake ransomware becomes widely discussed in the media, and victims start recognizing the landing page of the fake ransomware, the effectiveness of such Ranscam campaign would be reduced. Unfortunately, it would be hard for average end users to recognize fake ransomware without obtaining necessary technical skills to detect the decryption algorithms or without proper knowledge of ransomware schemes."
Experts questioned by SearchSecurity were split on whether "ransomware" was the best term for the Ranscam malware. Earl Carter, security research engineer at Cisco Talos, and James Chappell, CTO and co-founder of Digital Shadows, said the term was the best available because Ranscam displays a ransom note and asks for payment. But Philip Casesa, product development strategist at (ISC) ², and Grunzweig said the term "ransom" implies an item that can be given back after payment, which can't happen since Ranscam deletes files.
Despite the disagreement on whether to call Ranscam a new "ransomware" variant or not, all experts agreed that the best tactics to mitigate the risk of Ranscam were the same as with ransomware: phishing education and regular data backups.
Chappell said, "the best insurance policy is to ensure that you have a regularly updated offline backup of your data."
Grunzweig also suggested being wary of suspicious emails.
"Defense against these threats remains the same. Ensure that you're not opening emails from individuals you don't know. Don't open email attachments unless you are absolutely sure about their content. Don't navigate to untrusted websites," Grunzweig said. "I also personally advocate that users install some form of ad-blocking plug-in on their web browsers, as many instances of ransomware have been delivered as part of a malvertising campaign."
Brumaghin and Mercer noted that a comprehensive backup solution will not only help to mitigate the individual risk of ransomware, but fewer victims paying the ransom also has a number of security benefits.
"By paying ransomware authors, organizations are contributing to the proliferation of ransomware by providing threat actors with the capital necessary to mature their capabilities and infect future victims," Brumaghin and Mercer wrote. "Additionally, organizations that pay their attackers make themselves a target for future compromise if they are not successful in or otherwise lack the capability needed to ensure that they have fully eradicated the source of their initial compromise. They also identify themselves as organizations that are willing to pay ransoms, thus they may be targeted more often as threat actors know that they have a higher likelihood of making money by successfully infecting them."
Learn more about preventing a ransomware infection through network security.
Find out about recovering from a ransomware attack with frequent data backups.