Ransoc: a convincing threat

November 22, 2016

Imagine that your computer suddenly shows you a disturbing message: “It’s FBI. Illegal content has been detected on your device. You’ll be arrested for 20 years and fined for $200,000 unless you pay $100 in bitcoins.”

“Ha! — you’ll say. — Not so fast, ransomware! You aren’t getting a penny — instead I’ll use a special tool to remove you from my PC.”

ransoc-ransomware-featured-2

Lockers like this were commonly spread from 2012-2014, but now they have primarily moved to smartphones, where they are harder to deal with, while on PCs cryptoransomware inherited their place.

Nonetheless, lockers did not leave computers completely – they have evolved to use the
most efficient persuading methods. The recently discovered Ransoc locker serves as an interesting example of the evolutionary process.

The main difference between Ransoc and usual lockers is its highly increased ability to persuade users. The ransomware blocks browsing and shows the victim’s personal data along with photos from social networks. In addition, the malware makes demands that look rather rational. How is that possible?

As soon as Ransoc infects the victim’s PC (usually it gets there from “adult” sites) it checks the hard drive for something related to illegal content like child pornography and pirated music or movies. Ransoc also checks victims accounts in Skype, Facebook and Linkedin. The Trojan uses this information to make the blackmail message sound personal.

As the result, victims receive creepy notifications that look very persuasive: here is their personal data, and here is the list of their illegal actions. Ransoc threats to publish the users’s dirty laundry publicly and possibly on the victim’s social network accounts. If the Trojan finds nothing, it doesn’t blackmail the victim — at all. Many can see this as a kind of justice — vigilante style.

In addition, every 100 milliseconds Ransoc checks if users try to launch regedit, msconfig or taskmgr utilities and kills these processes so that victims are unable to remove it from the system.

The other thing that is interesting about Ransoc is that criminals are willing to receive ransom via bank transfer. On one hand, it makes it easier to understand who is in charge of the whole fraud. On the other hand, criminals pretend to be FBI representatives and in this case bank transfers look more convincing than bitcoins.

All in all, Ransoc is a kind of locker 2.0, an improved and updated version of malware, that was popular three years ago.

There are two powerful methods to stop lockers.

1. Keep calm and don’t believe all those social engineering tricks. These are not from law enforcement no matter what they claim: that’s just cybercriminals which made their malware a little more advanced.

2. Use a reliable security solution on your devices. Kaspersky Internet Security detects Ransoc and stops it before it gathers data and tries to blackmail you. If your device is infected with this Trojan, you can remove it with the help of Kaspersky Internet Security as well.

If you want to know more about different kinds of ransomware and how to oppose them, read this post.