Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

7/11/2016
05:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New ‘Ranscam’ Ransomware Lowers The Bar But Raises The Stakes

Cisco Talos researchers discover new variant that doesn't decrypt your files after you pay up--it has already deleted them.

Ransomware variants are multiplying like rabbits: while some are more sophisticated and tougher to combat, others are more about scamming than kidnapping. Take the new Ranscam malware discovered by Cisco’s Talos team, a low-tech but highly destructive attack that demands ransom from its victims but never returns them their files because it actually deleted them.

Ranscam isn’t the first ransomware variant to destroy files rather than return them after victims pay up—there’s AnonPop and JIGSAW, for example—but it’s a glaring example of how the ransomware scam itself is so lucrative and easy to pull off that less sophisticated attackers are jumping in the game. It’s also a cautionary tale for victims counting on getting their files back when they hand over those Bitcoins.

The lack of crypto in the attack, despite promises of decryption if the victim pays up, also demonstrates that Ranscam is nowhere near as complex or advanced as Cryptowall and other ransomware attacks, the researchers say. It’s more like its name suggests: it’s a ransomware scam to make money quickly.

"Compared to other true ransomware variants such as Cryptowall which spend a significant amount of time and effort developing new functionality and features, Ranscam appears to indicate that smaller, less-funded threat actors are joining the game, attempting to quickly get a piece of the pie," says Earl Carter, security research engineer at Cisco Talos.

It's also yet another example of why solid backups can save the day in a ransomware attack. "Ranscam further justifies the importance of ensuring that you have a sound, offline backup strategy in place rather than a sound ransom payout strategy,” the Talos team wrote in a blog post today. “Not only does having a good backup strategy in place help ensure that systems can be restored, it also ensures that attackers are no longer able to collect revenue that they can then reinvest into the future development of their criminal enterprise.”

Ranscam pushes the victim the usual ransom note upon infection, claiming to have moved the files to a “hidden, encrypted partition.” The Talos team says it dug around and found that some $278 had been paid to a wallet address provided by the attackers, but no additional transactions had occurred with it since late last month.

The attack appears to be limited, and relies mainly on using fear to solicit victims to pay the ransom. The attackers even had a few mishaps in their payment screen process, Talos found.

And the good news with Ranscam is that it isn't likely to have a long lifespan as a threat. "The payout is likely to die away quickly because of [its] bad reputation" in deleting files, notes Talos' Carter.

Cisco Talos recommends a backup solution that lets you restore an infected system to “a known-good configuration as quickly as possible.” That way, ransomware won’t be so popular and useful to attackers.

Related Content:

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Faye___Kane
100%
0%
Faye___Kane,
User Rank: Strategist
7/30/2016 | 6:39:16 PM
Re: Ranscams and Ransomware can go down together
 

You'd think that every business would already back up it's stuff, but nooo.

One summer, I babysat the 12 users at a small company when I discovered, to my horror, that the server had never been backed up in seven years(!)

I repeatedly begged the owner, who wore a gold slab around his neck, to buy a $100 tape drive, but he wouldn't spend the money. I finally shut up about it when he got mad at my asking.

When the sys crashed the next month, I drove home depressed. "What would an IT manager at a real company have done to prevent this?  Asked again? Paid for it himself?

The next day, I was fired because I predicted it, and everyone assumed I sabotaged the server to prove my point.

Worse, I'm sure I could have recovered the data if he had let me get near it.

THESE are the people we try so hard to protect.

 
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
7/12/2016 | 11:29:16 AM
Re: Ranscams and Ransomware can go down together
That would be nice, wouldn't it? But the seasoned ransomware attackers aren't going anywhere until orgs of all sizes do a better job at backups so they don't have to pay, and do a better job of user awareness training.
AndrewfOP
100%
0%
AndrewfOP,
User Rank: Moderator
7/12/2016 | 11:21:18 AM
Ranscams and Ransomware can go down together
"..the good news with Ranscam is that it isn't likely to have a long lifespan as a threat..."

 Quite frankly, I would prefer Ransams can stick around long enough to drag Ransomwares down with it.  If Ransams, purported to be 'reputed' Ransomware, receive the ransoms, but fail to deliver the goods anyway, 'customers' would be wised to the idea that paying ransoms are no guarantees of getting the files back.  Only good backups and no ransoms are the best strategy against Ranscams and Ransomwares.  We can then be rid of the Ransomware pandemics.

 
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19645
PUBLISHED: 2019-12-09
alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.
CVE-2019-19678
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the generic field entry point via the Generic Test Definition field of a new Generic Test issue.
CVE-2019-19679
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the Pre-Condition Summary entry point via the summary field of a Create Pre-Condition action for a new Test Issue.
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.