Ransoc targets Windows OS and is distributed via malvertising campaigns and exploit kits on adult websites. Once a system is infected, Ransoc does not actually encrypt any files. Instead, it scans the infected system for data related to social media profiles such as Facebook and LinkedIn, instant messaging clients such as Skype, torrent files, and strings associated with child pornography. It also collects the victim’s IP address and WiFi information and includes code that suggests it can access the system’s webcam but, according to researchers, there is currently no verification of this feature. If Ransoc finds child pornography or media files downloaded via torrents, it locks the system’s screen and displays a custom note for the victim that threatens to make the information public and take the “case” to trial. It provides a penalty amount the victim should pay to avoid punishment, along with a payment due date and a countdown timer. This ransomware variant is unusual in the fact that it does not request payment in the form of Bitcoin but, instead, accepts direct credit card payments from the victim. Since the malicious actors behind this campaign are targeting victims who download illegal content, it is highly likely that they think the victims will just quietly pay the ransom instead of reporting the incident to law enforcement. Ransoc maintains persistence by using a registry autorun key and by killing the processes for Task Manager, RegEdit, and MSConfig. However, booting the system into Safe Mode should allow the victim to remove the infection.
- Proofpoint provides more information about Ransoc here.
- Since no files are encrypted, no decryption keys or tools are needed. Booting the infected system into Safe Mode should allow the victim to remove the malware.