New Ransoc extortionists hunt for actual child abuse material

Brazen hackers actually accepting credit card payments

Hackers have unleashed a strain of scammer that activates on compromised computers when it encounters filenames containing strings that have been associated with child abuse clips and images.

Ransoc kicks in when it finds potential "evidence" of child abuse material or media files downloaded via torrents on the targeted machine. The malware will then customise the penalty notice threatening the victim with fake legal proceedings if he fails to pay the ransom, security firm Proofpoint reports.

The malware scrapes Skype and social media profiles for personal information while it scans files and torrents for potentially sensitive information. This info is used to put together a more convincing "pay up, or else" customised penalty notice featuring genuine information captured from Skype and social media profiles, including profile photos.

Scammers threaten to expose the collected "evidence" publicly unless their extortionate demands are met. Unlike most ransomware variants, the target here is the victim's reputation rather than his or her files, which are not encrypted.

Crooks behind the scam demand payment via credit card rather than harder-to-trace digital currency.

"Credit card payment is almost unheard of in ransomware schemes," Proofpoint notes. "While it removes the hassle and confusion for many victims associated with Bitcoin processing, it also potentially allows law enforcement to trace activity back to the cybercriminal more easily.

"This fairly bold approach to ransom payments suggests the threat actors are quite confident that people paying the ransom have enough to hide that they will probably not seek support from law enforcement."

Ransoc is better considered as more potent variant of earlier law enforcement notice lock-up scams, where victims were confronted with a false notice claiming that they had downloaded illegal content. Ransoc actively targets those it assesses may have actually downloaded abhorrent content.

The Ransoc malware also includes code that may allow it to access a victim's webcam, according to Proofpoint, although it was unable to verify if this functionality worked in practice.

Ransomware in general is one of the most potent internet security threats and biggest money spinners for crooks over the last three years or so. As ransomware is so lucrative it is unsurprising that crooks have devised a different approach to bilking money from victims.

Thomas Fischer, threat researcher at Digital Guardian, commented: "Ransomware authors are trying to find new ways to make their attacks more convincing and to ensure the target is more likely to pay the ransom. The Ransoc variant is pushing the boundaries by going beyond the standard file encryption to incorporate social engineering techniques and targeting sensitive personal information. The end goal is still the same – to use as many tactics as possible to try to obtain money from the target." ®

Biting the hand that feeds IT © 1998–2020