Security researchers have discovered a new ransomware variant designed to harvest social and comms data and scan for evidence of child exploitation and pirated content in a bid to guarantee payment of the ransom.
Proofpoint explained that “Ransoc” has more in common with the “Police Locker” malware popular between 2012 and 2014 than crypto-ransomware which dominates today.
Analysing the Windows binary in a sandbox environment, the team discovered it scans local media filenames for strings associated with child pornography, and connects with Facebook, LinkedIn and Skype profiles to harvest data.
The penalty notice it then flashes up to the victim is directly related to material it has discovered on their machine, which presumably will be enough to scare them into paying up.
If it’s not, the malware also displays genuine data from their social media accounts, further adding authenticity to the demand.
“It appears that this penalty notice only appears if the malware finds potential evidence of child pornography or media files downloaded via torrents and customizes the penalty notice based on what it finds,” said Proofpoint.
“It threatens to expose the collected ‘evidence’ to the public, with legitimate social profile information being used as a social engineering lure to convince victims that sensitive information may actually be at risk of exposure.”
Interestingly, the payment method is not via Bitcoin or similar, but regular credit card.
Usually this would give the victim the opportunity to bring in the police in order to trace the money back to the cyber-criminals, but in this instance they are banking on the victim not wanting to incriminate themselves.
“This theory is further bolstered by the fact that most victims encounter this malware via malvertising on adult websites and the penalty notice only appears when Ransoc encounters potential evidence of illegally downloaded media via BitTorrent and certain types of pornography,” Proofpoint continued.
“To encourage payment, the ransom note also claims that money will be sent back if the victim is not caught again in the 180 days.”