A new ransomware variant nicknamed Ransoc is currently distributed via malvertising campaigns and exploit kits, locking the user's desktop, searching for sensitive content, and employing the found information in an attempt to extort users who accessed questionable content into paying a ransom fee, disguised as a "penalty notice."

Bleeping Computer was in possession of a Ransoc version but couldn't get the ransomware to install. An initial analysis by Nepalese firm Rigo Technology is available here, while security firm Proofpoint has released a more in-depth report yesterday.

According to Proofpoint, Ransoc is currently distributed via malvertising campaigns on adult websites.

First Ransoc infections appeared at the start of November, but FoxIT InTELL researcher Frank Ruiz identified at the end of October a similar malvertising campaign that redirected users to a browser locker that used a visually identical ransom note to the one used by Ransoc.

Ransoc browser locker
Ransoc browser locker (Credit: Proofpoint)

The browser locker only targeted IE users on Windows and Safari users on Mac. The Ransoc ransomware targets only Windows users.

Ransoc doesn't encrypt user files

Unlike most ransomware variants active today, Ransoc doesn't encrypt the user's files and leaves everything as it finds it.

Instead, Ransom scans the user's computer for social media profiles, instant messaging clients, torrent files, and strings associated with child pornography.

Ransoc gathers all this data into a cleverly designed ransom note that locks the user's desktop with a legal warning that threatens the user with an impending lawsuit.

The ransom note shown inside the desktop locker is customized per victim, depending on the data found on each computer.

Ransoc desktop locker
Ransoc desktop locker (Credit: Proofpoint)

The legal notice can be for violating intellectual property rights if the user has downloaded copyrighted material via torrent clients, or for serious crimes if Ransoc finds evidence that the user has accessed sites containing questionable adult material that can be interpreted as child pornography.

The ransomware contains code to scan and collect data from each victim, such as IP address and WiFi information.

Ransoc can also collect data from Skype, Facebook, and LinkedIn profiles. The ransomware doesn't steal passwords from these social media accounts, but only scrapes profiles for information to use in the ransom notes, such as names, nicknames, birth dates, emails, phone numbers, locations, and photos.

There is also a function that searches files downloaded through torrent clients, and a function that tries to access the user's webcam.

The information found by scraping the victim's social media profiles is listed below the legal notice, to scare the user that his real-world identity has been unmasked. A Google map is also shown in some cases, using the user's IP address to display his general location.

Ransoc map
Ransoc map (Credit: Rigo Technologies)

The ransom fee also varies from victim to victim.

Ransoc with different fee
Ransoc with different fee (Credit: Rigo Technologies)

Unlike many ransomware operations nowadays, Ransoc doesn't handle payments via Bitcoin but instead uses direct credit card payments.

Ransoc credit card payment form
Ransoc credit card payment form (Credit: Proofpoint)

Handling payments this way allows law enforcement authorities to track down the crooks by following the money trail. Nevertheless, due to the category of victims they're targeting (people that violated copyright law and suspected child pornography viewers), crooks believe there's a small chance that victims would complain to law enforcement.

"By incorporating data from social media accounts and Skype profiles Ransoc creates a coercive, socially engineered ransom note to convince its targets that they are in danger of prosecution for their browsing habits and the contents of their hard drives," the Proofpoint team says. "[T]he attackers target users who will be unlikely to resist or inform the authorities and thus increase the likelihood of payment."

How to remove the Ransoc desktop locker

Ransoc checks every 100ms if the user has started applications such as Task Manager, RegEdit, and MSConfig, and kills the processes before the user can remove the ransom note from his screen.

Users infected with Ransoc may be happy to hear that there's a way to remove the desktop locker and regain access to their PC.

All they have to do is to reboot the PC in Safe Mode and find and remove a Windows Registry keys that allow the ransomware to start with every PC boot. The registry key is:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaErrorHandler

The registry key value that Proofpoint saw in active Ransoc installs was a shortcut file named JavaErrorHandler.lnk.  A victim can also look at the properties of this shortcut file to determine what malware executable it is pointing to. You can then use this information delete the executable associated with Ransoc.