Ransoc is ransomware that searches the victim’s drive for social media profiles and files that may be illegal or embarrassing. It locks up the computer and threatens the user with fines and prison, demanding a credit card payment.
A new form of ransomware hits its victims with a new and nasty twist.
Unlike the best-known ransomware, Ransoc doesn’t encrypt its victims’ files. Instead, it searches the drive for two things: social media accounts, and files that might be illegal or embarrassing.
Threats of prosecution and exposure
When it’s got this information, Ransoc locks up the computer and displays a message that claims to be from the “Bailiffs Service,” whatever that is. It threatens the user with fines and prison. For some reason, though, this supposed law enforcement agency will be satisfied with a few hundred dollars, paid by credit card.
You’d think that would be an obvious sign that it’s fake. There’s no US government agency called the Bailiffs Service. The government doesn’t present charges by locking up computers. It doesn’t settle cases without bringing charges first. It acts through named agencies and courts. Some people are just easily intimidated, and perhaps they aren’t very familiar with how the law works.
The notice does try to improve its plausibility, by displaying information from the user’s Skype, LinkedIn, and Facebook profiles. That could make the victim think their browsing habits will get publicized on social media sites, whether the threat is from the government or not. The malware actually checks for suspicious files, even if all it’s examining is the file names. The user sees a personalized notice with some connection to what’s actually on the computer, and that can be scarier than a generic demand.
There’s actually no need to be scared. All the threats appear to be bluffs. It isn’t even very hard to unlock the computer and remove the malware. It kills processes that would block malware, but rebooting the computer in safe mode allows removal. Ransoc relies on a panic reaction.
Weird features and protective measures
A strange feature is that Ransoc demands payment not through an anonymous channel such as Bitcoin, but by credit card. It seems unlikely that the blackmailer’s account will stay in business very long. Perhaps the perpetrators thought that people would be afraid to report the extortion.
It’s been spread mainly by ads on adult websites. This approach doesn’t necessarily require any user action beyond opening the page that holds the ad, so warnings not to click on dubious items may not help. Besides, how do you tell what’s dubious when the whole page is porn?
The best protection measures are security software and a calm head. Up-to-date security software should keep Ransoc from running if it gets onto your computer. An ad blocker limits the ability of ads to run scripts on your browser and may help keep you safe. If you do get hit by it, remember that it’s bluffing and that you can remove it.
Ransomware that encrypts files is a serious threat, but Ransoc goes for the gut reaction. Its creators hope you’ll pay first and think later. Don’t give them that satisfaction.