As if surveys aren't already annoying, a new ransomware utilizes the FileIce survey platform to force you to do surveys before unlocking your computer. First discovered by GData security researcher Karsten Hahn, this ransomware is currently in development and is most likely not being actively distributed at this time.

Survey Screen
Select Your Survey Screen

When the malware is started it will display a Select Your Survey form as shown above that contains numerous surveys you can select in order to unlock the computer.  The ransomware retrieves these surveys from the URL as shown in the source code below.

FileIce Source
Source showing the form retrieving the Surveys

When a user completes a survey, it will download a file called ThxForYurTyme.txt, which displays the message "Thank you for supporting me.".

Thank You File
Thank You File

My guess is that this file will eventually contain a code that will be used to unlock and remove the lock screen.

Not all features are functional

Since this ransomware is currently in development mode, it contains source code to perform a variety of functions that do not work as of yet. For example, though it does create an autostart so the programs starts when you login, it also contains numerous other features that do not work right. For example, it contains code to disable Ctrl+Alt+Del and code to set a variety of Windows policies to make it more difficult to remove, but they failed to be created on my test. 

The policies that it attempts to enable are:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableLockWorkstation" = 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableChangePassword" = 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoClose" = 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoLogoff" = 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System "HideFastUserSwitching" = 1

What makes it truly show that it is still in development is the Unlock Your PC screen. This screen contains numerous debugging options that can be used to test the ransomware.

Unlock Your PC Screen
Unlock Your PC Screen

For example, the startup button will enable the autostart entry for the ransomware, the Close button will terminate the process, the Clear Ctrl Alt checkbox will enable or disable the policies, and the Disable keys button will attempt to hook the keyboard so that the keys do not work.

Like many other ransomware infections that are discovered, there is a good chance that this ransomware will never make it into distribution. If it does, though, it will be easily defeated.

Files associated with the Survey Ransomware:


Registry entries associated with the Survey Ransomware

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Sdchost	C:\seo\Sdchost.exe

Network traffic associated with the Survey Ransomware


SHA256: 60fba97585c3a48720bffdb1e11fb5be537e6b6344220015bc9740d084f58c0b


Related Articles:

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message

CommonRansom Ransomware Demands RDP Access to Decrypt Files