New Form of Ransomware Uses Social Media to Customize Demands

A new form of ransomware is reported to have been found that uses a person’s social media and computer files to customize a demand, according to cybersecurity researchers at Proofpoint.

Called ‘Ransoc’ by the researchers because of its connection to social media, they found that the malware was scanning local media filenames and running several routines by interacting with Skype, LinkedIn, and Facebook profiles, infecting the system through Internet Explorer on Windows and Safari on OS X.

What’s interesting about this new type of ransomware is the fact that unlike ransomware such as Locky, which encrypts a person’s files before demanding payment, Ransoc customizes its demands to its victims.

After scanning a person’s computer files and social media to find potentially incriminating evidence, it then sends a penalty notice, threatening victims with court action if the amount isn’t paid.

As it doesn’t encrypt a person’s files, the ransomware relies on a victim’s fear to pay the money straight away.

According to Proofpoint, though, this type of penalty notice threat was widespread during 2012 and 2014; however, since then the focus has been on crypto ransomware and other malware as a way of scamming victims out of their money.

Interestingly, enough, the team at Proofpoint discovered that the penalty notice only appeared if the malware was able to locate incriminating evidence on the computer. If, however, the file name was manually changed no penalty notice was triggered.

Not only that, but the team found that instead of demanding the payment in bitcoin, which is what the vast amount of cybercriminals using malware demand, this one demanded payment with a credit card. Unlike bitcoin, which gives criminals anonymity, the use of a credit card means that law enforcement can potentially trace the money back to the criminals a lot easier.

The fact that this method is used could suggest that the cybercriminals are happy in the belief that the victims have too much to hide to seek out help from the police. To encourage payment, though, the ransom note states that the money will be sent back to the victim if they are not caught again in 180 days.

It’s safe to say that repayment never happens.

All, it seems, is not lost.

According to Proofpoint, the Ransoc only employs a registry autorun key to persist, so rebooting in Safe Mode should allow users to remove the malware.

Featured image from Shutterstock.