Sloppy but Dangerous: Fake Ransomware
Conventional ransomware encrypts the victims’ files and holds them hostage, unavailable to their owners, promising to provide a decryptor once the victims pay the ransom. In some cases being tracked by security firm Cyble, however, they offer nothing in return. The files are in fact deleted.
One such group working with “fake ransomware” is trolling for victims on malicious adult websites (more malicious than the usual run). The phishbait that lures the victims to bite is a specially crafted website (with urls like “nude-girlss [dot] mywire [dot] org,” “sexyphotos [dot] kozow [dot] com,” and “sexy-photo [dot] online”). The phish hook is an executable named “SexyPhotos [dot] JPG [dot] exe.” The unknown criminals behind the phishing campaign are, of course, hoping that the marks won’t read past “SexyPhotos,” or, failing that, certainly not past “JPG,” which their ardent eyes will inevitably tell their ardent brain translates to “no, really, saucy pix here.” And in any case the victims’ system may by default hide file extensions, so the victims may not even see “[dot] exe” in the first place.
Cyble explained in their research report:
“Fake ransomware acts as a usual ransomware but does not encrypt the files. The Fake ransomware shows false information that the files are encrypted and threaten the user to pay ransom for decryption. There is a possibility that victims can pay ransom to recover the files as they are renamed and unusable. We are not sure about the authenticity of the decryptor if the ransom is paid. Even if the decryptor is provided, renaming files to their original file name is not possible as the malware is not storing them anywhere during the infection.”
The hoods are demanding $300 in Bitcoin, with the ransom doubling to $600 if the initial demand isn’t met in three days. The victims have seven more days to pay the $600, at which point, the extortionists say, they’ll permanently delete the files. In truth the files are already effectively gone, and it seems unlikely to researchers that the criminals actually have a decryptor. They’re sloppy. In this case, however, Cyble thinks the sloppiness might work to the victims’ advantage . BleepingComputer says, “A possible way to recover from this malware would be to restore your OS to a previous state since the fake ransomware doesn’t delete shadow copies. Of course, this could still result in data loss, depending on the date of the last restore point.”
One lesson to take away from this is to follow a practice of regularly backing up important files. “In general, regular backups of your most important data would be the best practice, as an OS re-installation should be the quickest way out of this trouble,” BleepingComputer writes.
Other lessons include the obvious one of staying away from adult sites, but like much obvious advice people are all too likely to overlook this counsel. But new-school security awareness training might help by sensitizing users to the dangers of executables, and, of course, the risks inherent in downloading untrusted files from untrustworthy sites.