Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Ransoc Ransomware Blackmails Victims

A newly observed piece of ransomware isn’t targeting files to encrypt as most threats in this category do, but rather scrapes Skype and social media profiles for personal information to encourage victims to pay the ransom.

A newly observed piece of ransomware isn’t targeting files to encrypt as most threats in this category do, but rather scrapes Skype and social media profiles for personal information to encourage victims to pay the ransom.

Dubbed Ransoc, the malware connects to social network accounts found on the infected computer, including LinkedIn, Facebook, Skype, and others. Next, the malware searches for torrent files and other content that could point to illegal activity and then displays a ransom note tailored to the findings.

The Ransoc malware, security researchers say, is targeting Windows computers, but it is related to a browser locker that functions cross-platform. The browser locker was spotted in the United States in late October, being distributed through malvertising traffic and targeting Internet Explorer on Windows and Safari on OS X.

While analyzing the threat, Proofpoint security researchers discovered that the threat performs an IP check and sends all traffic through the Tor network. Moreover, they noticed that the malware displays a Penalty Notice only if potential evidence of child pornography or media files downloaded via torrents is found on the infected machine.

Ransoc Ransomware Penalty Notice

Because it connects to the victim’s social network accounts, the malware customizes the ransom message with accurate data, including profile photos. Victims are threatened that the collected “evidence” would be exposed to the public, and the legitimate social profile information serves as social engineering lure to trick users into believing that sensitive information might actually be at risk.

Ransoc’s code also revealed the ability to access webcams connected to the infected machine, but the security researchers say that the function wasn’t seen active. By threatening the victims with fake legal proceedings if they didn’t pay the ransom, the malware was clearly focused more on people’s reputation than on their files.

The displayed ransom message is a full-screen window that functions like a browser locker application, and which prevents the user from accessing their operating systems or closing the browser window. Additionally, Ransoc checks every 100ms for regedit, msconfig, and taskmgr, and kills their processes, thus preventing the victim from disabling it.

Fortunately, Proofpoint discovered that Ransoc only uses a registry autorun key for persistency. As a result, user can remove the infection by rebooting the computer in Safe Mode. Ransoc’s developer also took a bold approach by using credit card payments for the ransom, which are unusual in when it comes to ransomware, because they could allow law enforcement to trace activity back to the cybercriminal more easily.

“This fairly bold approach to ransom payments suggests the threat actors are quite confident that people paying the ransom have enough to hide that they will probably not seek support from law enforcement. In fact, while Ransoc may seem to be motivated by vigilantism against genuine criminals, the motives are likely less-than-altruistic, as the attackers target users who will be unlikely to resist or inform the authorities and thus increase the likelihood of payment,” Proofpoint says.

This theory is also sustained by the fact that this piece of malware is distributed via malvertising on adult websites and because the penalty notice is displayed only if Ransoc encounters potential evidence of illegally downloaded media and certain types of pornography. The ransom note also claims that money will be sent back if the victim is not caught again in the 180 days.

Related: CryPy Ransomware Uses Unique Key for Each File

Related: DXXD Ransomware Encrypts Files on Unmapped Network Shares

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.