This ransomware uses your social media profiles to personalise its demands

Brazen desktop locker campaign uses social media info to make its threat more compelling to victims.
Written by Danny Palmer, Senior Writer

A newly discovered form of ransomware scrapes the social media accounts and local files of victims in order to tailor a customised demand, and threatens court action if it isn't paid.

Dubbed 'Ransoc' by cybersecurity researchers at Proofpoint due to its connection with social media including Facebook, LinkedIn, and Skype, this ransomware represents yet another evolution of the malicious software which has boomed during 2016.

It isn't the first ransomware variant to use social engineering in an attempt to scare the victim into paying up, but Ransoc is unique in how it attempts to turn the users' files against them -- especially if illegally downloaded files are on the system.

Perhaps because it focuses on exploiting this fear, Ransoc doesn't encrypt the victims' files in the same way as ransomware like Locky does, but rather makes its demands via the desktop or browser after infecting the system through malvertising traffic aimed at Internet Explorer on Windows and Safari on OS X.

It might appear basic or dated compared to more sophisticated forms of ransomware -- desktop locking malware saw its heyday between 2012 and 2014 -- but Ransoc is built to search the victim's hard drive and social media accounts for data to use in its scheme. That data will then be used to tailor a ransom note featuring images from their Facebook and LinkedIn accounts disguised as a threat of legal action against the victim


Researchers observed Ransoc stealing data from social media accounts.

Image: Proofpoint

Indeed, Proofpoint researchers discovered one variant of the penalty notice is only displayed when Ransoc suspects the victim has files containing illegal images or media files downloaded via torrents. In this case, Ransoc threatens the victim into paying a fine, or face the risk of any files being made public in a court case. Ultimately, Ransoc is preying on the victim's reputation rather than their files.

Unlike the majority of ransomware schemes, which now demand payments in the untracable Bitcoin cryptocurrency, those behind Ransoc have opted to make victims pay with their credit card.


Ransoc demands a payment via credit card, not Bitcoin.

Image: Proofpoint

To encourage payment, the actors behind Ransoc say they'll send the money back if the victim isn't caught again in 180 days -- but obviously the money never returns.

But there is another way Ransoc victims can remove the desktop locker; the malware only uses a registry autorun key to persist, so rebooting in Safe Mode should allow users to remove it.

Read more on cybercrime

Editorial standards