Rancam Ransomware Doesn't Encrypt; It Deletes
Posted by: Timothy Weaver on 07/13/2016 09:56 AM
[
Comments
]
A new strain of ransomware seems to indicate that the hackers are just plain lazy.
According to two researchers, Edmund Brumaghin and Warren Mercer, the ransomware produces a ransom note after the system is infected. The ransom note asks for 0.2 BTC ($130 US) to unlock their files. It claims that the files have been moved to a hidden partition on the victims system.
“Once your Bitcoin payment is received your computer and files will be returned to normal instantly,” the ransom note claims.
But the claim is false. Once the user clicks a verification button claiming they’ve paid, the note changes and the button morphs into a “Payment not verified” button. The button does nothing as the files have already been deleted. There is no way to reclaim the files as they were never encrypted to begin with.
The method of attack is with the start of a batch file that begins the process and is followed up by a script that deletes a slew of important files: the core Windows .EXE responsible for System restores, shadow copies, and registry keys associated with booting the machine into Safe Mode.
The researchers have noted that the ransomware has not as yet been incorporated into any wide spread email campaign.
Source: Threat Post
According to two researchers, Edmund Brumaghin and Warren Mercer, the ransomware produces a ransom note after the system is infected. The ransom note asks for 0.2 BTC ($130 US) to unlock their files. It claims that the files have been moved to a hidden partition on the victims system.
“Once your Bitcoin payment is received your computer and files will be returned to normal instantly,” the ransom note claims.
But the claim is false. Once the user clicks a verification button claiming they’ve paid, the note changes and the button morphs into a “Payment not verified” button. The button does nothing as the files have already been deleted. There is no way to reclaim the files as they were never encrypted to begin with.
The method of attack is with the start of a batch file that begins the process and is followed up by a script that deletes a slew of important files: the core Windows .EXE responsible for System restores, shadow copies, and registry keys associated with booting the machine into Safe Mode.
The researchers have noted that the ransomware has not as yet been incorporated into any wide spread email campaign.
Source: Threat Post
Comments
