Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Encryption Security Windows Microsoft Operating Systems Privacy Software The Almighty Buck News Build Hardware Technology

Windows Malware Poses As Ransomware, Just Deletes Victims' Files (slashgear.com) 118

An anonymous reader writes: Ranscam, a ransom malware reported by Cisco's Talos Security Intelligence group, claims to have encrypted victims' files and hold them for ransom, but in actuality it has already deleted those files and is simply trying to trick its victims into paying to recover files that are no longer there anymore. SlashGear reports: "Most ransomware follow a similar tactic once they get control of a computer or mobile device. They encrypt certain files, personal documents are a favorite, and then display a message instructing the user to pay, usually with bitcoins, to receive the decryption key to save their files. Ranscam, however, is completely without honor, as much honor as you can find among thieves and scam artists. It claims to have encrypted the users' files and then makes the usual demand. However, it adds an additional threat. For each time the user clicks on the 'payment sent' button but no payment was received, it threatens it will delete a file. That, however, is a total farce. In truth, files have already been deleted, so whether the victim pays or not is moot. The perpetrators don't have any way to recover those deleted files anyway. Also, the threats it flashes users are simply static images fetched from a remote server. Users might just as well be clicking on a two-slide presentation. The good news is that reported Ranscam infections are small, according to Cisco's Talos Security Intelligence group."
This discussion has been archived. No new comments can be posted.

Windows Malware Poses As Ransomware, Just Deletes Victims' Files

Comments Filter:
  • by shione ( 666388 ) on Thursday July 14, 2016 @03:09AM (#52508467) Journal

    The way ransomware works is it builds trust with the victims that they will get their stuff back if they pay. This kind of slimyness by ransomware will make people even more reluctant to pay. If people don't pay for ransomware, ransomware will be less of a problem because the people making it don't get what they want, similar to how the US govt doesn't pay ransoms to terry wrists.

    • Exactly. While this sucks for any individuals, this is a good thing in the long run if it grows. Not only will it teach people not to pay the ransom, but it, like all ransom ware will teach people to backup their damn files.

      Still, I don't see it being lucrative, as regular ransomware has a better chance of getting the ransom.
      • by Anonymous Coward

        Your computer is infected. Paying could result in any behaviour including:
        - Recovery of all files
        - Recovery of some files and more extortion.
        - Deletion of everything
        - Attempt to install further malware and spread...which in turn could do anything from steal your identity or money to destroying your hardware

        Paying and letting the malware continue to run is an act of desperation. The perpetrators should be hunted down like the animals they are and kept in a cage for the rest of their life.

        • We all know that malware authors are the scum of the earth. However, putting them in prison is a waste. Taxpayers get stuck paying for those prisons and it's a drain on society. I personally don't feel like paying anything for the scum that writes malware. Fortunately, I have and better idea: restitution. If files can be recovered, the restitution is the ransom, punitive damages for the lost time and productivity, and interest. If the files can't be recovered, then the cost includes compensation for the los

          • owever, putting them in prison is a waste. Taxpayers get stuck paying for those prisons and it's a drain on society.

            You're right.

            Medical experimentation would be a much better use for them.

            Paging Dr. Mengele...

    • I guess most of the "harm" the ransomware cause is to them. They simply make less money now that this reputation is out. Making less money means having less money. Having less money means they can't afford buying stuff like hacked computer access or paying programmers. Means they'll go out of business pretty soon.

      Only those malware authors survive which actually pay back the ransom.

      • by Kjella ( 173770 )

        I guess most of the "harm" the ransomware cause is to them. They simply make less money now that this reputation is out. Making less money means having less money. Having less money means they can't afford buying stuff like hacked computer access or paying programmers. Means they'll go out of business pretty soon. Only those malware authors survive which actually pay back the ransom.

        No, this is the problem with counterfeits. If "customers" of ransomware can't tell the difference between ransomware that'll return their files and those that'll don't - which I would think is a safe assumption than they don't - it'll hurt all "vendors" in the market equally. And if those who don't bother to have a decryption system operate at a lower cost/risk and thus higher margin they'll leech off the established "brand" while destroying it. Heck if I recall correctly there was one such ransomware that

        • Well the ransomware vendors that actually offer decryption of course do this for their reputation. They have an incentive to prove to users that they are capable of decrypting files. E.g. they could let users chose three files, and those will get decrypted for free just to prove that the files are still existent.

          The ransomware business model is just too god for it to vanish.

          • by fisted ( 2295862 )

            Clearly what we need is a means to tell apart the legitimate ransomware authors from the frauds.
            I propose a certification process to determine by thorough testing the credibility of common ransomware and their authors. Passing the certification program would allow the ransomware authors to include a little logo labeled "Certified Trustworthy Ransomware System" on their main splash screen.

    • by VValdo ( 10446 ) on Thursday July 14, 2016 @04:10AM (#52508575)

      NPR's Planet Money economics podcast did an episode on this very issue.

      I can't find the original full podcast episode, but here's the shorter All Tech Considered [npr.org] version.

      W

    • They paid Dan "D. B." Cooper $200k...

      • The Cooper hijacking was in 1971. The "U.S. will not yield to blackmail" doctrine was instated by Carter during the 1980 Iranian hostage crisis.

        • by dbIII ( 701233 )
          Reagan paying the ransom didn't work out well either. By the end it had spread from Iran to Hezbolla and classified anti-tank weapons were delivered to Hezbolla in exchange for hostages.
          Now the guy who was arming Hezbolla against Israeli tanks (Oliver North) is one of the guys running the NRA - no wonder they are calling for the right for suspected terrorists to buy guns!
    • by houghi ( 78078 )

      I was thinking the same. The more people will hear this, the less willing they are to pay up. Even with the ones that don't delete the files.

      First less people will reply and those who still call will need more convincing that these files are not gone.

      OTOH I am sure that there will still be enough people who will be giving the money to make it interesting, I am sure. As long as they make more than they would get by not doing it, there will be a market for it.

    • The way ransomware works is it builds trust with the victims that they will get their stuff back if they pay. This kind of slimyness by ransomware will make people even more reluctant to pay.

      Maybe this is not a bad thing after all, as the ransomware business may become less lucrative if people don't pay anymore thinking their data may actually be deleted for good anyway.

    • Maybe it's just me but.... there's nothing on my home machine I'd "lose" and I really don't understand what "files" people are willing to spend actual money to *maybe* recover. When it comes to industry, sure, that makes sense. But a personal computer? What are you going to lose, some photos that SHOULD have been fired off to googledrive or some other cloud backup? Your music that you can download again? Your software that you can re-install? No, the ransomware isn't really the problem, idiot computer
    • by Canth7 ( 520476 )
      You would think that law enforcement would be involved in releasing this sort of 'ransom'ware. What better way to disrupt this sort of crime industry than to discourage users from paying to recover access?
    • The way ransomware works is it builds trust with the victims that they will get their stuff back if they pay. This kind of slimyness by ransomware will make people even more reluctant to pay. If people don't pay for ransomware, ransomware will be less of a problem because the people making it don't get what they want, similar to how the US govt doesn't pay ransoms to terry wrists.

      As seasoned IT professionals have been trying to teach users for decades now, the ultimate answer to ransomware (or pretty much any attack) is to have backups of your damn data.

      If the average "It'll never happen to me" idiot user actually did that, ransomware would have never been a viable business in the first place.

    • by arth1 ( 260657 )

      The way ransomware works is it builds trust with the victims that they will get their stuff back if they pay. This kind of slimyness by ransomware will make people even more reluctant to pay.

      This makes it a priority for those who create real ransomware to find and shut down the ones who make the scamsonware. It hurts the ransomware operations. I would not sleep well at night if I were someone who had developed or pushed this.

    • by Minupla ( 62455 )

      Next we'll have look and feel suits where cryptolocker is suing ranscam for looking too much like them :)

  • by Anonymous Coward on Thursday July 14, 2016 @03:15AM (#52508485)

    Seriously, this malware is less evil. Provided the files haven't been overwritten, just deleted, they can be recovered. It's far far easier to recover a deleted file than an encrypted one.

    • by NotInHere ( 3654617 ) on Thursday July 14, 2016 @04:23AM (#52508619)

      Provided the files haven't been overwritten, just deleted, they can be recovered

      Unfortunately, it doesn't look like that. From TFS:

      The script also performs several other destructive actions on the infected system, including the following:

      * Deleting the core Windows executable responsible for System Restores
      * Deleting shadow copies
      * Deleting several registry key associated with booting into Safe Mode
      * Setting registry keys to disable Task Manager
      * Setting the Keyboard Scancode Map

      • by Anonymous Coward

        I don't see anything indicating the data is overwritten on the disk. If the ransomware deleted the files and then zeroed out those sectors, the files would be unrecoverable. However, the article doesn't indicate that such blanking occurs. It doesn't sound like this ransomware is sophisticated enough to do that. If you can shut the system down before your files are overwritten and then mount it read only from another system, you can certainly scan the disk for deleted files and recover your data.

        • I guess you are right, and I was wrong, but it still doesn't help you much as you need to know it immediately after you have been infected whether to turn off the computer or not. Some ransomware malware deletes files permanently when you turn off your computer.

          • by fisted ( 2295862 )

            Some ransomware malware deletes files permanently when you turn off your computer.

            That's why you pull the plug/battery instead of asking your OS to shut down.

        • Re: (Score:2, Insightful)

          by Joce640k ( 829181 )

          you can certainly scan the disk for deleted files and recover your data.

          ...says somebody who never actually tried it in real life.

          Let me come over to your house and delete your files, then video you as you try to get them back.

          Even better, let's copy the files to a folder and delete them there then watch you try to recover them. No harm, done, right?

          • I've used Runtime's "GetDataBack" software a few times and every time I've recovered ~90% of the original data, even when I ran it from the same system that the deletion happened on.

            If your data is super important and you don't have a backup for some reason, you could always ship off to DriveSavers. I'm sure they'll be super appreciative that the malware simply deleted the files and didn't encrypt them in place.
            • by dbIII ( 701233 )

              and didn't encrypt them in place

              The typical behaviour is encrypt to a new file and delete the old. Of course if does it on a lot of files the blocks used by those early deleted files can get overwritten.

          • It's not difficult, just really annoying, time consuming and makes you think far too long about how all that messing about could be saved if that person had listened to advice about not using MS Outlook set to automatically open attachments and not opening strange emails.
            Photorec is very good. It is not fast, because when it gets down to it you are asking it to do something difficult. Filenames are of course lost but file types are know and grep plus all the rest can be used if you have a few clues about
        • I don't see anything indicating the data is overwritten on the disk. If the ransomware deleted the files and then zeroed out those sectors, the files would be unrecoverable. However, the article doesn't indicate that such blanking occurs. It doesn't sound like this ransomware is sophisticated enough to do that. If you can shut the system down before your files are overwritten and then mount it read only from another system, you can certainly scan the disk for deleted files and recover your data.

          You do realize how long it has taken for this type of malware to go from delete-moms-dogs-pictures to corporate-network-shares-delete-your-shadow-copies, right?

          In other words, prepare for next-gen-disk-zeroing ransomware variant in 3...2...

        • In addition, most of those activities require elevated privilege on a Windows box. So unless the user turned off UAC (usually only "advanced" users do this) the malware cannot delete shadow copies or windows executables or HKLM registry keys.

          • by dbIII ( 701233 )
            Or one of the thousands of other holes like the print spooler one this week.
          • by fisted ( 2295862 )

            So unless the user turned off UAC (usually only "advanced" users do this)

            The "advanced" users turn it off.
            The rest clicks "Yes" or "Allow".

      • by donaldm ( 919619 )

        The best approach when computer is infected with malware and/or computer viruses is to reinstall your system software from disk or usb stick, then reinstall your personal data from backups.

        What's this I hear you have no idea how to do the above and you never do backups ...? ..? .? Sigh!

        • What's a "backup"?

          • by Alumoi ( 1321661 )

            A SWAT team waiting for your call?
            Some gunships over the horizon?
            Your buddy with more beer?
            Oh, wait, you mean that thingie my IT friend keeps pestering me about? I was just going to do that, right before this disaster. I swear!

      • by dbIII ( 701233 )

        Deleting several registry key associated with booting into Safe Mode

        Not really a problem if you do the sensible thing and access the filesystem with something incompatible with the virus. After all, nobody would be stupid enough to trust an owned system or risk infecting something else would they when the alternative is a free download running off CDROM without even having to install it? They would? They should go back to school and stop telling people they are computer professionals.

      • by Anonymous Coward
        * Deleting several registry key associated with booting into Safe Mode
        * Setting registry keys to disable Task Manager


        There probably isn't a special part of Hell reserved for those who designed and built the Registry, but I can always hope...
      • by xorbe ( 249648 )

        Take hdd out and find deleted files on other PC. Not sure how ssd + trim works in this case ... probably not as well ...

      • Provided the files haven't been overwritten, just deleted, they can be recovered

        On NTFS, files above a certain size cannot be undeleted. I learned this the hard way once when a couple of virtual hard disk (VHD) files over 80GB in size were deleted by accident before the VM had been backed up. Various undelete utilities were tried. All recovered the files with size=0.

    • Even less evil, since if you pay the ransom the malware guys send you a doc on how to recover your files.
    • by dbIII ( 701233 )
      Insightful? Have people here forgotten about disk operations and that the encrypted file is a copy of the original laid down on different blocks before the original is deleted? Eventually stuff is going to be overwritten but before that it is deleted files and a collection of new ones.
      • I'm not sure about how the file system management really works, but I think your cenario is only true if the ransonware creates all encrypted copies and THEN delete all original files. Because if each original is deleted after the encrypted copy is created, how are you so sure that the file management routines are NOT going to use the recently freed sectors to store the new file? On a spinning disk?
        • by dbIII ( 701233 )

          but I think your cenario is only true if the ransonware creates all encrypted copies and THEN delete all original files

          Yes that is how it works. That's why I was able to recover files after a MS Outlook user clicked on the wrong email, which then had IE helpfully run stuff causing the computer to get hit with a cryptolocker variant.

          how are you so sure that the file management routines are NOT going to use the recently freed sectors to store the new file? On a spinning disk?

          It's a statistical thing - perhap

  • by Anonymous Coward

    While the FBI teaches victims to pay the ransom, the hackers pick up the job of teaching people an important lesson, "never give in to extortion."

    • Well sometimes its smarter to give in to extortion. Only you know how important your files are, and if there is a chance to get them back, you can decide yourself whether you want to get them or not. All you can lose in the situation is the ransom money. Yes, you might lose both the money and the files, but the ransomware author has an interest to give you back your files so that you tell others that paying the ransom gives your the files.

      The problem about saying "NEVER" give in to extortion is that the bo

      • by dbIII ( 701233 )

        Only you know how important your files are

        Obviously not important enough to have a backup strategy in place and obviously not important enough to have on an OS suitable for something other than playing video games at home.
        The places that take things seriously have filesystem snapshots and offline backups on tape or similar. You want an MS system? Fine, just make sure the files are stored under the adult supervision of something else that can give you those snapshots etc.
        Someone hacking in from outside can

  • Why not? It is way simpler to write and requires no infrastructure to hold and release keys, etc. If you are crook who would create ransomware you don't have any honour anyway. Of course if this gets more popular, fewer people will be inclined to pay anything since chances of getting files back won't look so good, but criminals are in it for quick buck anyway.
  • ..have ANY sort of moral compass? Are they complete sociopaths? Using encrypted files as blackmail is bad enough, but just deleting someones personal files altogether is just sick.

    • I don't really see the difference. Unless a ransomware victim pays, the perpetrators delete their files. They're in it for the money as much as these guys are.

      In either instance, the perp is a worthless waste of space and resources.

    • by Kjella ( 173770 )

      Do the people who write this software have ANY sort of moral compass? Are they complete sociopaths? Using encrypted files as blackmail is bad enough, but just deleting someones personal files altogether is just sick.

      Oh, these people aren't even close to the top of the sociopath scale. This is just the "make profit on faceless victims, haven't met them and don't give a shit" level like owning a sweatshop or slave plantation. The true sociopaths see your pain and suffering and still don't give a shit like rapists and serial killers. Or worse yet, thrive on it. Heck, I'd say these guys don't even reach the level of Nigeria scammers that'll rob you blind and put you in debt for life. Sure, in Internet hyperbole I'd like th

    • Hey if I lived in a country that was untouchable by the USA I'd give it a shot. Easy money by scamming a few rubes.

      • untouchable by the USA

        You'll have to get outside the solar system, at least.. Right now Jupiter, Saturn, Mars, and Pluto, and even the sun are under surveillance.

    • Don't think for a minute that "legit" companies wouldn't engage in this activity if it wasn't illegal and they thought they could make money off of it.

    • ..have ANY sort of moral compass? Are they complete sociopaths? Using encrypted files as blackmail is bad enough, but just deleting someones personal files altogether is just sick.

      I'm sorry, I must be one of those ignorant greybeards who missed that decade when malware writers were nice to their victims, and filled their comment lines with ASCII flower art.

      Hell, we've seen examples of CEOs lacking any sort of moral compass. I fail to see where you think an actual criminal would have one.

  • Meta malware?

  • Whenever a seriously efficient Dark Lord manages to establish an empire of subjugation and terror, the stupid copycats who try to follow their steps manage to ruin the strategy and make it useless.

    • That's only because of definition. If you get evil and malicious enough and become a sufficiently powerful evil lord, then you aren't regarded as evil anymore, but as "powerful".

      Oppress 10 people, and you are a criminal.
      Oppress 1000 people, and you are a terrorist.
      Oppress one million, and you are a king.
      Oppress a billion, and you become so important that nobody can avoid you.

      • by donaldm ( 919619 )

        That's only because of definition. If you get evil and malicious enough and become a sufficiently powerful evil lord, then you aren't regarded as evil anymore, but as "powerful".

        Oppress 10 people, and you are a criminal. Oppress 1000 people, and you are a terrorist. Oppress one million, and you are a king. Oppress a billion, and you become so important that nobody can avoid you.

        The key word is Oppress. There is a certain tipping point when instead of living comfortably you always have to keep looking at shadows in case one of those shadows has a telescopic rifle with your head in the crosshairs. Of course, it is possible that one of those shadows has a knife or poison.

      • Kill a man and you're a murderer
        Kill many and you're a conqueror
        Kill 'em all and you're a god
              - Megadeth

  • It's hard work, however it's much easier to recover a deleted file on Windows than it is to recover an encrypted file. *If*, and that's a big if, you knew where it was.

    • by dbIII ( 701233 )

      It's hard work, however it's much easier to recover a deleted file on Windows than it is to recover an encrypted file. *If*, and that's a big if, you knew where it was.

      Photorec is pretty good at recovering all deleted files it can find on a volume. Of course then you have to sift through a huge number of files where all you know is the type - but that's when you use grep or other things from a system incompatible with the malware that will help you find the files you want among all the recovered temporary files you do not want.

      That means you take the infected thing away from any "windows guru" as rapidly as possible before they overwrite things and/or spread the infecti

      • by MrKaos ( 858439 )

        That means you take the infected thing away from any "windows guru"

        Kind of like an "oxy moron". I know what you mean I've seen the damage they cause.

  • You cant go messing with the perfectly decent business model of ransomware, if word gets around that paying means nothing ransomware will fall apart and no one will ever pay.

    The people who created this will end up dead in a ditch somewhere. You dont fuck with the russian/chinese mob.

  • This is why you don't outsource the file encryption portions of your software project to the lowest bidder.

  • How that malware works, and how does it infect those (poor) Windows machines?
  • 20 years ago — in my younger and gospel-spreading days — I set up my parents' desktops to use FreeBSD.

    Since then I would, once in a while, doubt, whether it was the right decision — especially, when they asked about things like Skype or Flash, which required certain hackery to get working. Was I right imposing my choice of the OS on folks, who just wanted to "use the Internet"?

    But, looking at these near-daily mal/scamware reports targeting Windows, I sure am glad, their systems are immun

  • The whole concept of ransomeware is based on honesty and reasonable pricing. If the data is promptly recovered upon receipt of $49.99 in bitcoin, you have a satisfied customer who will spread the word to others to go ahead and pay a small ransom rather then dealing with, at minimum, a hassle of restoring older backups. For good measure, also crank up firewall and patch whatever exploit you used to get in to let it be known that ransom payment will make the problem go away once and for all.

    Pull a trick like

  • 1) Share out the Windows drive to a BSD/Linux/Mac server, or allow the backup server to ssh or rsync into the Windows machine. Do *NOT* give the Windows machine write access to the backup server. If it's infected, it's not trustable. It might overwrite previous good good backups.

    2) Use a *VERSIONING* backup system, so that you don't over-write January's good backup with February's encrypted backup.

    3) Put in a few innocent-looking "canary" files that never change. If they do change or disappear, alarm bells

"You stay here, Audrey -- this is between me and the vegetable!" -- Seymour, from _Little Shop Of Horrors_

Working...