If you thought ransomware was a step too far for malware then the newly found “Ranscam” takes it to the next level. Ranscam purports to be a standard ransomware app, claiming it has encrypted all your files and they won’t be unlocked until you pay up.
Cisco’s Talos Intelligence discovered that Ranscam isn’t your typical ransomware though. Even if you pay up, you won’t ever be getting your files back. Ranscam doesn’t actually encrypt them, instead it permanently deletes the files as soon as the malware is installed. Victims end up with all their files gone, even if they do pay the ransom.
This is very different to a usual ransomware approach. Once the program has been installed, typically from an unsafe download or phishing email, it encrypts all your personal files, leaving them unusable without the randomly generated decryption key. The malware then gives you a set time limit to pay a ransom in and have the files decrypted. It’s effective and is proving to be a huge money-maker for cybercriminals. Consumers, businesses and even hospitals are paying up to recover from infections.
Ranscam is interesting because of how it deviates from this model. Part of how ransomware has grown so quickly is down to the level of trust associated with it. Ransomware operators can’t start deleting files and then demanding ransoms because the security industry and computer users would soon become wise to it and refuse to pay up. To be successful, the files have to be recoverable.
The creators of Ranscam appear disinterested in this, employing methods of deception beyond that typical of ransomware masterminds. “Threat actors cannot simply be trusted and often use deception as a means to achieve their objective, which in this case is convincing victims to pay out,” said Talos Intelligence. “This is because they never intended on providing a means to retrieve or recover the victim’s files in the first place.”
Ranscam is not currently a widespread malware campaign. It appears to be created by amateurs as the software used to display the ransom message is very basic. The controlling web server is unprotected, its code left open to outside visitors. The creators seem to be looking to quickly gain cash, employing crude malware to prey on unsuspecting victims.
Ranscam’s limitations make it relatively easy to recover from if you are infected. Its files can be deleted by booting into Safe Mode and disabling the startup trigger it uses to launch itself. With that done, you should be able to recover all your files by copying them from a recent backup. If nothing else, Ranscam serves to emphasise the benefits of making regular backups of your valuable data, protecting you from the multitude of threats online.