A new infection is being distributed by porn sites that tries to blackmail a victim into paying a ransom by stating they will tell law enforcement that the victim is spreading child porn. This is done by collecting information about the user, including screen shots of their active desktop, in order to catch them in compromising situations.

First discovered from a post on Reddit where the author stated that they downloaded a file from a porn site named Xvideos. Once ran, it created a ransom note, but did not encrypt any files.

Reddit Post about PornBlackmailer
Reddit Post about PornBlackmailer

Based on the information in the post I was able to find a sample of the infection and analyze it. While it does not encrypt a victim's files or upload any data to a remote site, it does an adequate job of scaring a victim into paying their blackmail demand.

PornBlackmailer tries to scare you into paying demands

For the duration of this article, I will be calling the infection PornBlackmailer for lack of a better name. Though the string "HowSexWithDolls" was in each of the three samples I was able to find, I cannot confirm that it is a specific name for this infection or just a campaign name.

While I was not able to find the malware actually being offered by any porn sites, I was able to find three different samples, with the first one being compiled on January 8th at around midnight. These samples all ended with the .scr extension to masquerade as a Windows screensaver.

When started, PornBlackmailer will create a folder at %UserProfile%\AppData\Roaming\Robin\server_logs and store various files in it about your computer, your location, copies of your browser history, and four screenshots of your active desktop.

Server-logs Folder
Server-logs Folder

First it will compile information such as your computer name, account name, computer info, and geographic location based on your IP address and network adapter's MAC address. This information is saved in the your_information.txt file.

Your_information.txt File
Your_information.txt File

If it is able to get your geographic region, it will connect to a variety of sites in order to create an image of your location via Google Maps. This information is saved in your_location.jpg. 

It then creates copies of your browser cookie files and saves it in the browser-cookies folder.

Browser Cookies Folder
Browser Cookies Folder

It then creates four screenshots of your active desktops spread out over about a 10 second period. As this program is downloaded from a porn site, the author is probably thinking that you are still on the porn sites, can catch you in the act, and use the potentially compromising screenshots as further leverage to get the victim to pay.

Screenshots Folder
Screenshots Folder

PornBlackmailer will then change your desktop background to contain information on what happened and how to find the compromising information that was stored in the server-logs folder.

Desktop Background
Desktop Background

Finally, the blackmailware will create numerous READ_ME.txt files on the Windows desktop that state that the victim was caught in the act of watching and spreading child pornography. It goes on to further state that if a blackmail demand of .1 bitcoins is not paid, the attacker will send your information to the police.

Blackmail Note
Blackmail Note

When creating these notes, the infection will randomly use a bitcoin addresses from a list included in the executable.  From the available list of addresses, 3 people have paid the blackmail, which is worth about $3,350 USD at today's prices.

The current list of bitcoin addresses used by PornBlackmailer and the amount of payments are:

Blackmailware and Scare Tactics may be more efficient than Ransomware

While the amount of payments are fairly low, it does show that this can be effective and efficient way for a criminal to generate revenue. With traditional ransomware, a developer has to communicate with their victims, process payments, manage encryption keys, and manage Command & Control servers.

Blackmailware, on the other hand, just has to paint a convincing enough picture that scares a victim into paying a small demand in order to keep the attacker's mouth shut. Screenshots are especially effective as if they are compromising in any way, could be the tipping point between not making a payment and paying one.

Related Articles:

Necurs Botnet Distributing Sextortion Email Scams

Emotet Trojan Begins Stealing Victim's Email Using New Module

AutoHotkey Malware Is Now a Thing

Ad Clicker Hiding as Google Photos App Found in Microsoft Store

New Sextortion Scam Pretends to Come from Your Hacked Email Account

IOCs

PornBlackmailer Hashes:

a3e8b2a7399fd333e965dbc5f463a270efe9d9b35d0e314ec0a5c7a3e0eae4fe
c932638dc6f55ca6e33f0dfc4b09945b19910a1c8bb44934ff22ea6e2cb60653
7e08b7b5f3fec3b3c6099d5ccfc50734c153b7d98f2648961fcb88760396a064

File associated with PornBlackmailer:

%UserProfile%\AppData\Roaming\bg_robin.jpg
%UserProfile%\AppData\Roaming\Robin\
%UserProfile%\AppData\Roaming\temps.exe
%UserProfile%\Robin\
%UserProfile%\Robin\server_logs
%UserProfile%\Robin\server_logs\browser-cookies
%UserProfile%\Robin\server_logs\browser-cookies\firefox-cookies.sqlite
%UserProfile%\Robin\server_logs\browser-cookies\google-chrome-cookies
%UserProfile%\Robin\server_logs\browser-cookies\google-chrome-history
%UserProfile%\Robin\server_logs\desktop_screens\
%UserProfile%\Robin\server_logs\desktop_screens\desktop_[time].jpg
%UserProfile%\Robin\server_logs\desktop_screens\desktop_[time].jpg
%UserProfile%\Robin\server_logs\desktop_screens\desktop_[time].jpg
%UserProfile%\Robin\server_logs\desktop_screens\desktop_[time].jpg
%UserProfile%\Robin\server_logs\READ_ME.txt
%UserProfile%\Robin\server_logs\your_information.txt
%UserProfile%\Desktop\READ_ME.txt
%UserProfile%\Desktop\READ_ME_1.txt
%UserProfile%\Desktop\READ_ME_2.txt
%UserProfile%\Desktop\READ_ME_3.txt
%UserProfile%\Desktop\READ_ME_4.txt
%UserProfile%\Desktop\READ_ME_5.txt
%UserProfile%\Desktop\READ_ME_6.txt
%UserProfile%\Desktop\READ_ME_7.txt
%UserProfile%\Desktop\READ_ME_8.txt
%UserProfile%\Desktop\READ_ME_9.txt

PornBlackmailer Network Communication:

maps.googleapis.com/maps/api/geocode/json?latlng=
mobile.maps.yandex.net/cellid_location/?wifinetworks=
iplogger.com/1zHjN6

PornBlackmailer Blackmail Note:

You looked through forbidden children's porn!
Also, you are involved in its spread.
This is very very very bad!

So information about your location (ip, mac, real address) and other needed data (browser cookies, social network links, desktop screens, browser history, passwords)
were collected and sent to our server.
You can see part of data was collected in "C:\Users\User\Robin\server_logs"
in the files "your_information.txt" and your location on map in "your_location.jpg".
Also you can see more other information about you in near folders and cookies files.
All these data was send to the our server in the internet and can not be deleted by you.

All these data and complaints will be automatically forwarded to the special police departments (FBI, CIA, INTERPOL, MVD, FSB) exactly 24 hours after the current moment (this is not joke, automatically proccess).
This will be enough to put you in jail for at least 1 year. Believe me, you are not the first.

HOWEVER, if you send "0.01 BTC" to the address specially generated for you, all your data will also be automatically deleted from our server and you will live peacefully, having received a lesson.
REPEAT: To forget about this incident, you need to send "0.01 BTC" to the bitcoin address (specially generated for you) below. Then all your data will also be automatically deleted from our server.

This is not joke! Your data will indeed be sent to POLICE departments with help of email if you do not send 0.01 BTC.
All process is fully automatic.
Believe me, these pennies do not cost 1 or more years in jail.

-->> Send 0.01 BTC to this address 1CKpj2r2qLPcK4BL1FpP1MsATCCntLvy5q (specially generated for you)
-->> Send 0.01 BTC to this address 1CKpj2r2qLPcK4BL1FpP1MsATCCntLvy5q (specially generated for you)
-->> Send 0.01 BTC to this address 1CKpj2r2qLPcK4BL1FpP1MsATCCntLvy5q (specially generated for you)

If you do not pay, then tomorrow at exactly 9:14:42 AM o'clock your data will be automatically sent to the police emails and posted to public forums.
If you don't know how to buy bitcoin, just type to google "How to buy bitcoins?".

We hope you make the right decision and will sleep peacefully.
The script on the server will automatically delete your data after the payment is received on the wallet.