14 DAY TRIAL // Ranscam is a new piece of ransomware discovered by security researchers from the Cisco Talos team that doesn't honor the unwritten rule of ransomware infections: to give the user back their files after they pay the ransom.
For many years, ransomware developers have strictly adhered to this rule, most of them revealing in interviews that their business would go down the drain if users lost trust in the possibility of recovering files after they pay.
As such, there were rare cases where crooks did not deliver on their promises to decrypt files after receiving a ransom, most of these cases being due to software bugs in the ransomware, which crooks eventually fixed in subsequent versions.
Unfortunately, this is not the case with Ranscam, which, in Cisco's view, is just a poorly-written product.
The first thing Ranscam does is to delete your files
The problem with Ranscam is that it deletes all your files after infecting your computer, right from the get-go. It is unknown if this is a bug or an intentional feature.
Ranscam not only deletes your files, but it also removes core Windows executables responsible for the System Restore feature, hard drive shadow copies, and several registry keys associated with booting into Safe Mode. Additionally, it also modifies registry keys to disable Task Manager and also alters the Keyboard Scancode Map.
All of these are done to make file recovery much harder, but also to prevent removing the ransomware from the infected computer.
Once this is done, the ransomware shows its ransom note, which is nothing more than a JPEG image with two sections at the bottom where Ranscam shows a button and a Web form.
Ranscam tells users their files are in a "hidden partition"
The ransomware informs the user that their files are encrypted and moved into a hidden partition. This is all fake. The files are actually dead and gone for minutes when the victim reads this note, and because the ransomware deletes shadow volume copies, there's no way to recover them.
The button mentioned above is supposed to be pushed when the victim pays the 0.2 Bitcoin ransom at a specific wallet address. Cisco says this button is fake and doesn't do anything, so paying the ransom will not help victims.
Only the form at the right side of the button works and sends an email to the crooks. Cisco says that, after contacting the Ranscam authors, they were extremely friendly in trying to convince them to pay the ransom. Unfortunately, no amount of kind and polite words can replace the fact that their "code" has just deleted all your personal files.
The good news is that Ranscam is not as widely distributed as other ransomware threats seen today, so it hasn't destroyed the lives and memories of too many users yet.
