Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Ransoc Ransomware Blackmails Victims

A newly observed piece of ransomware isn’t targeting files to encrypt as most threats in this category do, but rather scrapes Skype and social media profiles for personal information to encourage victims to pay the ransom.

A newly observed piece of ransomware isn’t targeting files to encrypt as most threats in this category do, but rather scrapes Skype and social media profiles for personal information to encourage victims to pay the ransom.

Dubbed Ransoc, the malware connects to social network accounts found on the infected computer, including LinkedIn, Facebook, Skype, and others. Next, the malware searches for torrent files and other content that could point to illegal activity and then displays a ransom note tailored to the findings.

The Ransoc malware, security researchers say, is targeting Windows computers, but it is related to a browser locker that functions cross-platform. The browser locker was spotted in the United States in late October, being distributed through malvertising traffic and targeting Internet Explorer on Windows and Safari on OS X.

While analyzing the threat, Proofpoint security researchers discovered that the threat performs an IP check and sends all traffic through the Tor network. Moreover, they noticed that the malware displays a Penalty Notice only if potential evidence of child pornography or media files downloaded via torrents is found on the infected machine.

Ransoc Ransomware Penalty Notice

Because it connects to the victim’s social network accounts, the malware customizes the ransom message with accurate data, including profile photos. Victims are threatened that the collected “evidence” would be exposed to the public, and the legitimate social profile information serves as social engineering lure to trick users into believing that sensitive information might actually be at risk.

Ransoc’s code also revealed the ability to access webcams connected to the infected machine, but the security researchers say that the function wasn’t seen active. By threatening the victims with fake legal proceedings if they didn’t pay the ransom, the malware was clearly focused more on people’s reputation than on their files.

The displayed ransom message is a full-screen window that functions like a browser locker application, and which prevents the user from accessing their operating systems or closing the browser window. Additionally, Ransoc checks every 100ms for regedit, msconfig, and taskmgr, and kills their processes, thus preventing the victim from disabling it.

Fortunately, Proofpoint discovered that Ransoc only uses a registry autorun key for persistency. As a result, user can remove the infection by rebooting the computer in Safe Mode. Ransoc’s developer also took a bold approach by using credit card payments for the ransom, which are unusual in when it comes to ransomware, because they could allow law enforcement to trace activity back to the cybercriminal more easily.

“This fairly bold approach to ransom payments suggests the threat actors are quite confident that people paying the ransom have enough to hide that they will probably not seek support from law enforcement. In fact, while Ransoc may seem to be motivated by vigilantism against genuine criminals, the motives are likely less-than-altruistic, as the attackers target users who will be unlikely to resist or inform the authorities and thus increase the likelihood of payment,” Proofpoint says.

This theory is also sustained by the fact that this piece of malware is distributed via malvertising on adult websites and because the penalty notice is displayed only if Ransoc encounters potential evidence of illegally downloaded media and certain types of pornography. The ransom note also claims that money will be sent back if the victim is not caught again in the 180 days.

Related: CryPy Ransomware Uses Unique Key for Each File

Related: DXXD Ransomware Encrypts Files on Unmapped Network Shares

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.