A new ransomware virus named Ransoc was discovered recently. The malicious program employs a different strategy from the usual. Most ransomware infections encrypt files and demand a ransom to have them restored. Ransoc leaves the files intact. Instead, the virus puts the blame on the end user for viewing and downloading questionable content. The ransom note is presented as a “penalty notice”.
Ransoc can be filed under the category of police ransomware. This classification is for ransomware programs which misrepresent the legal authorities, accusing the victim of committing a crime.
Ransoc was first examined by the malware research team of Nepalese company Rigo Technology. The firm published a general report on the virus to alarm the public. The next organization to analyze the infection was Proofpoint. The researchers compiled a detailed report which sheds more light on the properties of the program.
The analysis of Proofpoint revealed the propagation vectors of Ransoc. The virus was found to use malvertising campaigns on adult websites.
The first instance of a Ransoc infection was traced back to late October. Frank Ruiz of FoxIT InTELL discovered a malvertising campaign, distributing a browser locker with a visually similar message to the ransom note of Ransoc. This is believed to be an early variant of the infection. The browser locker was found to target a specific niche. It only affected Windows users who surfed the web with Internet Explorer and Mac users who navigated through Safari.
The current version of Ransoc ransomware has been distributed since early November. It only targets Windows users.
Ransoc victims are threatened with legal actions
As we alluded to earlier, Ransoc uses a different approach. Unlike the vast majority of ransomware infections, it does not encrypt files. Rather, the virus notifies the person that he has been convicted of certain crimes.
Since Ransoc is distributed through adult websites, the most common charge is viewing or possessing child pornography. The virus scans the user’s browsing sessions and the files on his computer, looking for content which can be categorized as underage pornography.
Another common offense Ransoc charges users with is copyright infringement. The ransomware can access the data from your hard drive and conduct a scan to check if it is copyrighted. It will determine which files do not have the required copyright stamp.
Ransoc contains a separate code, used to scan the hard drive, the browser and the WiFi information. The virus can access social media profiles (like Facebook, Twitter, LinkedIn, etc.), messenger tools (like Skype, Telegram Messenger, etc.) and torrent files. The furtive program gathers details from the person’s online profiles and uses it for the ransom note.
Ransoc can record your full name, nicknames on websites and messengers, your physical coordinates, birth date, email, telephone number, IP address, photos and other personal input. The gathered data is placed in the penalty notice to attest that your identity has been uncovered.
A separate function allows the clandestine program to determine which files have been downloaded through a torrent client. Ransoc also has a feature for accessing the webcam. This activity crosses the line of decency and breaches people’s privacy.
Ransoc lists personal details about the victim in the penalty notice, making it seem legitimate. The ransomware can include your personal photo, links to your social media profiles, your full name, date of birth, physical address and a Google map with your coordinates.
The message gives the convict a chance to redeem himself by paying a settlement penalty. The sum is determined according to the offense the person has been charged with. It varies from victim to victim. Ransoc gives a tight deadline for completing the settlement. This is done to pressure the victims and not give them enough time to get consultation on the matter. The final date for making the payment is listed in the ransom note. There is also a countdown clock.
The cyber criminals behind Ransoc can be tracked down
If you are a victim of Ransoc who has made the payment, it may not be too late to seek redemption. This ransomware differs from the majority with the way it handles payments. Most encryption viruses use the bitcoin cryptocurrency to collect ransoms. This allows the cyber crooks behind them to protect their identity, as bitcoin platforms do not enable tracking.
Ransoc uses a more standard way of transferal. Users are asked to make a direct credit card payment. The transaction can be traced to reveal the identity of the recipient. Since the ransomware poses as the legal authorities, the people who pay would not be aware that the message comes from cyber thieves.
As Proofpoint stated, “By incorporating data from social media accounts and Skype profiles Ransoc creates a coercive, socially engineered ransom note to convince its targets that they are in danger of prosecution for their browsing habits and the contents of their hard drives. The attackers target users who will be unlikely to resist or inform the authorities and thus increase the likelihood of payment.”
The developers behind Ransoc rely on the nature of the ransom note. With the types of charges people are faced with, they are unlikely to file a complaint. There is still a risk, of course. If you are a victim, you can report the hackers to your local police department.
How to delete Ransoc desktop locker?
The window Ransoc displays on the screen prohibits access to the desktop. The malevolent program has taken measures to prevent users from terminating the process which executes the desktop locker. Ransoc checks if the user has started applications like Task Manager, MSConfig and RegEdit. When detected, they are terminated. The checkups are performed in an interval of 100 milliseconds which makes it impossible for the user to disable the desktop locker.
To eradicate the malicious process, you are required to reboot your computer in Safe Mode. You have to find the registry key which is used to load the desktop locker, and delete it. The key in question is: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaErrorHandler
This registry value is used to install a shortcut file called JavaErrorHandler.lnk. Proofpoint elaborated that this file contains information about the executable of Ransoc ransomware. Its location is listed in the properties of the file. You can view them by right-clicking on it and selecting the option from the drop-down menu. Once you have discovered where the malicious executable is stored, navigate to the folder in question and delete it.