Windows Malware Poses As Ransomware, Just Deletes Victims' Files (slashgear.com) 118
An anonymous reader writes: Ranscam, a ransom malware reported by Cisco's Talos Security Intelligence group, claims to have encrypted victims' files and hold them for ransom, but in actuality it has already deleted those files and is simply trying to trick its victims into paying to recover files that are no longer there anymore. SlashGear reports: "Most ransomware follow a similar tactic once they get control of a computer or mobile device. They encrypt certain files, personal documents are a favorite, and then display a message instructing the user to pay, usually with bitcoins, to receive the decryption key to save their files. Ranscam, however, is completely without honor, as much honor as you can find among thieves and scam artists. It claims to have encrypted the users' files and then makes the usual demand. However, it adds an additional threat. For each time the user clicks on the 'payment sent' button but no payment was received, it threatens it will delete a file. That, however, is a total farce. In truth, files have already been deleted, so whether the victim pays or not is moot. The perpetrators don't have any way to recover those deleted files anyway. Also, the threats it flashes users are simply static images fetched from a remote server. Users might just as well be clicking on a two-slide presentation. The good news is that reported Ranscam infections are small, according to Cisco's Talos Security Intelligence group."
This is actually a good thing in the big picture. (Score:5, Interesting)
The way ransomware works is it builds trust with the victims that they will get their stuff back if they pay. This kind of slimyness by ransomware will make people even more reluctant to pay. If people don't pay for ransomware, ransomware will be less of a problem because the people making it don't get what they want, similar to how the US govt doesn't pay ransoms to terry wrists.
Re: (Score:2)
Still, I don't see it being lucrative, as regular ransomware has a better chance of getting the ransom.
Re: (Score:1)
Your computer is infected. Paying could result in any behaviour including:
- Recovery of all files
- Recovery of some files and more extortion.
- Deletion of everything
- Attempt to install further malware and spread...which in turn could do anything from steal your identity or money to destroying your hardware
Paying and letting the malware continue to run is an act of desperation. The perpetrators should be hunted down like the animals they are and kept in a cage for the rest of their life.
Re: This is actually a good thing in the big pictu (Score:1)
We all know that malware authors are the scum of the earth. However, putting them in prison is a waste. Taxpayers get stuck paying for those prisons and it's a drain on society. I personally don't feel like paying anything for the scum that writes malware. Fortunately, I have and better idea: restitution. If files can be recovered, the restitution is the ransom, punitive damages for the lost time and productivity, and interest. If the files can't be recovered, then the cost includes compensation for the los
Re: (Score:1)
Re: (Score:3)
Cool, so when a member of your family does something reprehensible you're all right with us dragging YOU out into the middle of the street and shooting you in the back of the head for the neighborhood to watch?
Re: (Score:2)
and how many mass shootings did you read about in Soviet Russia?
Re: (Score:1)
fuck that shit. Just drag their families out into the middle of the street and line them up on the median line, then walk along behind them and shoot each one in the head while making the cunt watch.
Shooting in the head is far too humane.
Re: (Score:2)
owever, putting them in prison is a waste. Taxpayers get stuck paying for those prisons and it's a drain on society.
You're right.
Medical experimentation would be a much better use for them.
Paging Dr. Mengele...
Re: (Score:2)
Why not simply, "Pay up or we'll send child porn to everyone in your contact list, claiming it was yours."
Re: (Score:1)
Because it will be known that ransomware does that and then everyone will know that the claim is bullshit. It is self-defeating.
If ransomware OTOH is known for sending the actual content of the hard drive then it will have a lot more impact.
If you have all your files backed up then you can laugh at the current gen ransomware, but if you have ever written shit about your friends/work or customers with your friends or colleagues then you can't afford to have those e-mails/chat logs to be distributed to your o
Re: (Score:1)
Re: (Score:2)
You.
Re: (Score:3)
> While this sucks for any individuals
Actually if it only deletes files and does not overwrite them, in contrast to the cryptolockers someone with the right tools should be able to recover most data (possibly even all of it, if the computer wasn't used much). And without having to pay anyone anything.
That is fine on a spinning disc drive, but if the affected files are on an SSD you better try to get them quick before the SSD does any housekeeping tasks.
Re: (Score:2)
Unfortunately, backups that are connected to the system, such as those running automatically each day, are vulnerable. Is there some sort of a backup system that is normally disconnected unless a backup is being made? A robot arm that physically yanks the USB connection when not in use? Of course, malware could manipulate the robot arm. Hmm.
This isn't entirely true. Backups that are connected to or directly accessible by the machine that contains the data you want to back up are vulnerable.
Backups that are connected to a different machine, that doesn't contain your data and isn't accessible by that machine are safe. I'm working on just such a thing, actually, as part of a remote support and management service I've been building.
Re: (Score:3)
I guess most of the "harm" the ransomware cause is to them. They simply make less money now that this reputation is out. Making less money means having less money. Having less money means they can't afford buying stuff like hacked computer access or paying programmers. Means they'll go out of business pretty soon.
Only those malware authors survive which actually pay back the ransom.
Re: (Score:3)
I guess most of the "harm" the ransomware cause is to them. They simply make less money now that this reputation is out. Making less money means having less money. Having less money means they can't afford buying stuff like hacked computer access or paying programmers. Means they'll go out of business pretty soon. Only those malware authors survive which actually pay back the ransom.
No, this is the problem with counterfeits. If "customers" of ransomware can't tell the difference between ransomware that'll return their files and those that'll don't - which I would think is a safe assumption than they don't - it'll hurt all "vendors" in the market equally. And if those who don't bother to have a decryption system operate at a lower cost/risk and thus higher margin they'll leech off the established "brand" while destroying it. Heck if I recall correctly there was one such ransomware that
Re: (Score:2)
Well the ransomware vendors that actually offer decryption of course do this for their reputation. They have an incentive to prove to users that they are capable of decrypting files. E.g. they could let users chose three files, and those will get decrypted for free just to prove that the files are still existent.
The ransomware business model is just too god for it to vanish.
Re: (Score:2)
Clearly what we need is a means to tell apart the legitimate ransomware authors from the frauds.
I propose a certification process to determine by thorough testing the credibility of common ransomware and their authors. Passing the certification program would allow the ransomware authors to include a little logo labeled "Certified Trustworthy Ransomware System" on their main splash screen.
To Pay Or Not To Pay? (Score:5, Informative)
NPR's Planet Money economics podcast did an episode on this very issue.
I can't find the original full podcast episode, but here's the shorter All Tech Considered [npr.org] version.
W
Re: (Score:1)
They paid Dan "D. B." Cooper $200k...
Re: (Score:2)
The Cooper hijacking was in 1971. The "U.S. will not yield to blackmail" doctrine was instated by Carter during the 1980 Iranian hostage crisis.
Re: (Score:3)
Now the guy who was arming Hezbolla against Israeli tanks (Oliver North) is one of the guys running the NRA - no wonder they are calling for the right for suspected terrorists to buy guns!
Re: (Score:2)
Re: (Score:2)
The way ransomware works is it builds trust with the victims that they will get their stuff back if they pay. This kind of slimyness by ransomware will make people even more reluctant to pay.
Maybe this is not a bad thing after all, as the ransomware business may become less lucrative if people don't pay anymore thinking their data may actually be deleted for good anyway.
Re: (Score:2)
Re: (Score:2)
Source code.
Re: (Score:2)
Re: (Score:2)
The way ransomware works is it builds trust with the victims that they will get their stuff back if they pay. This kind of slimyness by ransomware will make people even more reluctant to pay. If people don't pay for ransomware, ransomware will be less of a problem because the people making it don't get what they want, similar to how the US govt doesn't pay ransoms to terry wrists.
As seasoned IT professionals have been trying to teach users for decades now, the ultimate answer to ransomware (or pretty much any attack) is to have backups of your damn data.
If the average "It'll never happen to me" idiot user actually did that, ransomware would have never been a viable business in the first place.
Re: (Score:2)
The way ransomware works is it builds trust with the victims that they will get their stuff back if they pay. This kind of slimyness by ransomware will make people even more reluctant to pay.
This makes it a priority for those who create real ransomware to find and shut down the ones who make the scamsonware. It hurts the ransomware operations. I would not sleep well at night if I were someone who had developed or pushed this.
Re: (Score:2)
Next we'll have look and feel suits where cryptolocker is suing ranscam for looking too much like them :)
this malware is less evil (Score:3, Insightful)
Seriously, this malware is less evil. Provided the files haven't been overwritten, just deleted, they can be recovered. It's far far easier to recover a deleted file than an encrypted one.
Re:this malware is less evil (Score:5, Informative)
Provided the files haven't been overwritten, just deleted, they can be recovered
Unfortunately, it doesn't look like that. From TFS:
The script also performs several other destructive actions on the infected system, including the following:
* Deleting the core Windows executable responsible for System Restores
* Deleting shadow copies
* Deleting several registry key associated with booting into Safe Mode
* Setting registry keys to disable Task Manager
* Setting the Keyboard Scancode Map
Re: this malware is less evil (Score:3, Interesting)
I don't see anything indicating the data is overwritten on the disk. If the ransomware deleted the files and then zeroed out those sectors, the files would be unrecoverable. However, the article doesn't indicate that such blanking occurs. It doesn't sound like this ransomware is sophisticated enough to do that. If you can shut the system down before your files are overwritten and then mount it read only from another system, you can certainly scan the disk for deleted files and recover your data.
Re: (Score:2)
I guess you are right, and I was wrong, but it still doesn't help you much as you need to know it immediately after you have been infected whether to turn off the computer or not. Some ransomware malware deletes files permanently when you turn off your computer.
Re: (Score:2)
Some ransomware malware deletes files permanently when you turn off your computer.
That's why you pull the plug/battery instead of asking your OS to shut down.
Re: (Score:2)
Well, except that the thing appears to do enough damage to the system that not noticing it seems unlikely.
Re: (Score:2, Insightful)
you can certainly scan the disk for deleted files and recover your data.
...says somebody who never actually tried it in real life.
Let me come over to your house and delete your files, then video you as you try to get them back.
Even better, let's copy the files to a folder and delete them there then watch you try to recover them. No harm, done, right?
Re: (Score:3)
If your data is super important and you don't have a backup for some reason, you could always ship off to DriveSavers. I'm sure they'll be super appreciative that the malware simply deleted the files and didn't encrypt them in place.
Re: (Score:2)
The typical behaviour is encrypt to a new file and delete the old. Of course if does it on a lot of files the blocks used by those early deleted files can get overwritten.
Not difficult at all, but ... (Score:3)
Photorec is very good. It is not fast, because when it gets down to it you are asking it to do something difficult. Filenames are of course lost but file types are know and grep plus all the rest can be used if you have a few clues about
Re: (Score:2)
I don't see anything indicating the data is overwritten on the disk. If the ransomware deleted the files and then zeroed out those sectors, the files would be unrecoverable. However, the article doesn't indicate that such blanking occurs. It doesn't sound like this ransomware is sophisticated enough to do that. If you can shut the system down before your files are overwritten and then mount it read only from another system, you can certainly scan the disk for deleted files and recover your data.
You do realize how long it has taken for this type of malware to go from delete-moms-dogs-pictures to corporate-network-shares-delete-your-shadow-copies, right?
In other words, prepare for next-gen-disk-zeroing ransomware variant in 3...2...
Re: (Score:2)
In addition, most of those activities require elevated privilege on a Windows box. So unless the user turned off UAC (usually only "advanced" users do this) the malware cannot delete shadow copies or windows executables or HKLM registry keys.
Re: (Score:2)
Re: (Score:2)
So unless the user turned off UAC (usually only "advanced" users do this)
The "advanced" users turn it off.
The rest clicks "Yes" or "Allow".
Re: (Score:1)
The best approach when computer is infected with malware and/or computer viruses is to reinstall your system software from disk or usb stick, then reinstall your personal data from backups.
What's this I hear you have no idea how to do the above and you never do backups ...? ..? .? Sigh!
Re: (Score:2)
What's a "backup"?
Re: (Score:2)
A SWAT team waiting for your call?
Some gunships over the horizon?
Your buddy with more beer?
Oh, wait, you mean that thingie my IT friend keeps pestering me about? I was just going to do that, right before this disaster. I swear!
Re: (Score:2)
Not really a problem if you do the sensible thing and access the filesystem with something incompatible with the virus. After all, nobody would be stupid enough to trust an owned system or risk infecting something else would they when the alternative is a free download running off CDROM without even having to install it? They would? They should go back to school and stop telling people they are computer professionals.
Re: (Score:1)
* Setting registry keys to disable Task Manager
There probably isn't a special part of Hell reserved for those who designed and built the Registry, but I can always hope...
Re: (Score:1)
Take hdd out and find deleted files on other PC. Not sure how ssd + trim works in this case ... probably not as well ...
Re: (Score:2)
Provided the files haven't been overwritten, just deleted, they can be recovered
On NTFS, files above a certain size cannot be undeleted. I learned this the hard way once when a couple of virtual hard disk (VHD) files over 80GB in size were deleted by accident before the VM had been backed up. Various undelete utilities were tried. All recovered the files with size=0.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Yes that is how it works. That's why I was able to recover files after a MS Outlook user clicked on the wrong email, which then had IE helpfully run stuff causing the computer to get hit with a cryptolocker variant.
It's a statistical thing - perhap
Fighting the good fight that the FBI has abandoned (Score:2, Insightful)
While the FBI teaches victims to pay the ransom, the hackers pick up the job of teaching people an important lesson, "never give in to extortion."
Re: (Score:2)
Well sometimes its smarter to give in to extortion. Only you know how important your files are, and if there is a chance to get them back, you can decide yourself whether you want to get them or not. All you can lose in the situation is the ransom money. Yes, you might lose both the money and the files, but the ransomware author has an interest to give you back your files so that you tell others that paying the ransom gives your the files.
The problem about saying "NEVER" give in to extortion is that the bo
Re: (Score:2)
it is, it's fiscally enabling a criminal enterprise which is covered under racketeering laws.
Re: (Score:2)
Obviously not important enough to have a backup strategy in place and obviously not important enough to have on an OS suitable for something other than playing video games at home.
The places that take things seriously have filesystem snapshots and offline backups on tape or similar. You want an MS system? Fine, just make sure the files are stored under the adult supervision of something else that can give you those snapshots etc.
Someone hacking in from outside can
Race to the bottom (Score:2)
Do the people who write this software... (Score:2)
..have ANY sort of moral compass? Are they complete sociopaths? Using encrypted files as blackmail is bad enough, but just deleting someones personal files altogether is just sick.
Re: (Score:2)
I don't really see the difference. Unless a ransomware victim pays, the perpetrators delete their files. They're in it for the money as much as these guys are.
In either instance, the perp is a worthless waste of space and resources.
Re: (Score:3)
Do the people who write this software have ANY sort of moral compass? Are they complete sociopaths? Using encrypted files as blackmail is bad enough, but just deleting someones personal files altogether is just sick.
Oh, these people aren't even close to the top of the sociopath scale. This is just the "make profit on faceless victims, haven't met them and don't give a shit" level like owning a sweatshop or slave plantation. The true sociopaths see your pain and suffering and still don't give a shit like rapists and serial killers. Or worse yet, thrive on it. Heck, I'd say these guys don't even reach the level of Nigeria scammers that'll rob you blind and put you in debt for life. Sure, in Internet hyperbole I'd like th
Re: (Score:2)
Hey if I lived in a country that was untouchable by the USA I'd give it a shot. Easy money by scamming a few rubes.
Re: (Score:2)
untouchable by the USA
You'll have to get outside the solar system, at least.. Right now Jupiter, Saturn, Mars, and Pluto, and even the sun are under surveillance.
Re: (Score:2)
Don't think for a minute that "legit" companies wouldn't engage in this activity if it wasn't illegal and they thought they could make money off of it.
Re: (Score:2)
..have ANY sort of moral compass? Are they complete sociopaths? Using encrypted files as blackmail is bad enough, but just deleting someones personal files altogether is just sick.
I'm sorry, I must be one of those ignorant greybeards who missed that decade when malware writers were nice to their victims, and filled their comment lines with ASCII flower art.
Hell, we've seen examples of CEOs lacking any sort of moral compass. I fail to see where you think an actual criminal would have one.
So in other words (Score:2)
Meta malware?
And this is why Evil never wins in the end (Score:2)
Whenever a seriously efficient Dark Lord manages to establish an empire of subjugation and terror, the stupid copycats who try to follow their steps manage to ruin the strategy and make it useless.
Re: (Score:2)
That's only because of definition. If you get evil and malicious enough and become a sufficiently powerful evil lord, then you aren't regarded as evil anymore, but as "powerful".
Oppress 10 people, and you are a criminal.
Oppress 1000 people, and you are a terrorist.
Oppress one million, and you are a king.
Oppress a billion, and you become so important that nobody can avoid you.
Re: (Score:1)
That's only because of definition. If you get evil and malicious enough and become a sufficiently powerful evil lord, then you aren't regarded as evil anymore, but as "powerful".
Oppress 10 people, and you are a criminal. Oppress 1000 people, and you are a terrorist. Oppress one million, and you are a king. Oppress a billion, and you become so important that nobody can avoid you.
The key word is Oppress. There is a certain tipping point when instead of living comfortably you always have to keep looking at shadows in case one of those shadows has a telescopic rifle with your head in the crosshairs. Of course, it is possible that one of those shadows has a knife or poison.
Re: (Score:2)
Kill a man and you're a murderer
Kill many and you're a conqueror
Kill 'em all and you're a god
- Megadeth
Re: (Score:2)
Valar morghulis
Re: (Score:2)
Alert: if you don't select within 10 seconds, we'll install Windows 10 on your PC... oh wait.
Easier to recover. (Score:2)
It's hard work, however it's much easier to recover a deleted file on Windows than it is to recover an encrypted file. *If*, and that's a big if, you knew where it was.
Re: (Score:2)
It's hard work, however it's much easier to recover a deleted file on Windows than it is to recover an encrypted file. *If*, and that's a big if, you knew where it was.
Photorec is pretty good at recovering all deleted files it can find on a volume. Of course then you have to sift through a huge number of files where all you know is the type - but that's when you use grep or other things from a system incompatible with the malware that will help you find the files you want among all the recovered temporary files you do not want.
That means you take the infected thing away from any "windows guru" as rapidly as possible before they overwrite things and/or spread the infecti
Re: (Score:2)
That means you take the infected thing away from any "windows guru"
Kind of like an "oxy moron". I know what you mean I've seen the damage they cause.
Well the creators of this will end up dead.. (Score:1)
You cant go messing with the perfectly decent business model of ransomware, if word gets around that paying means nothing ransomware will fall apart and no one will ever pay.
The people who created this will end up dead in a ditch somewhere. You dont fuck with the russian/chinese mob.
Lesson learned (Score:2)
This is why you don't outsource the file encryption portions of your software project to the lowest bidder.
What does the malware targets? (Score:2)
Am I glad, my parents are on Unix (Score:2)
20 years ago — in my younger and gospel-spreading days — I set up my parents' desktops to use FreeBSD.
Since then I would, once in a while, doubt, whether it was the right decision — especially, when they asked about things like Skype or Flash, which required certain hackery to get working. Was I right imposing my choice of the OS on folks, who just wanted to "use the Internet"?
But, looking at these near-daily mal/scamware reports targeting Windows, I sure am glad, their systems are immun
Gives honest ransomware creators a bad name! (Score:2)
The whole concept of ransomeware is based on honesty and reasonable pricing. If the data is promptly recovered upon receipt of $49.99 in bitcoin, you have a satisfied customer who will spread the word to others to go ahead and pay a small ransom rather then dealing with, at minimum, a hassle of restoring older backups. For good measure, also crank up firewall and patch whatever exploit you used to get in to let it be known that ransom payment will make the problem go away once and for all.
Pull a trick like
Backup... do it right (Score:2)
1) Share out the Windows drive to a BSD/Linux/Mac server, or allow the backup server to ssh or rsync into the Windows machine. Do *NOT* give the Windows machine write access to the backup server. If it's infected, it's not trustable. It might overwrite previous good good backups.
2) Use a *VERSIONING* backup system, so that you don't over-write January's good backup with February's encrypted backup.
3) Put in a few innocent-looking "canary" files that never change. If they do change or disappear, alarm bells