A new ransomware called RansSIRIA has been discovered by MalwareHunterTeam that encrypts your files and then states it will donate your ransom payments to Syrian refugees. This ransomware is a variant of the WannaPeace ransomware and is targeting Brazilian victims.

According to MalwareHunterTeam, when executed, the ransomware will display a fake Word window that will take some time opening as it encrypts your files.  When done encrypting your files, it will display the screen below, which contains a passionate plea to pay the ransom, which will be used to help Syrian refugees.

RansSiria Ransomware
RansSiria Ransomware

This ransom screen contains text written in Portuguese that is shown below.


Sorry, your files have been locked

Permita nos apresentar como Anonymous, e Anonymous apenas.
Nós somos uma idéia. Uma idéia que não pode ser contida, perseguida nem aprisionada.
Milhares de seres humanos estão nesse momento rufigiados, feridos, com fome e sofrendo...
Todos como vítimas de uma guerra que não é nem mesmo deles!!!
Mas infelizmente apenas palavras não mudarão a situação desses seres humanos...
NÃO queremos os seus arquivos ou lhe prejudicar..., queremos apenas uma pequena contribuição...  
Lembre-se.., contribuindo você não vai estar apenas recuperando os seus arquivos... 
...e sim ajudando a recuperar a dignidade dessas vitimas... 

nvie a sua contribuição de apenas:               Litecoins para carteira/endereço abaixo.

This translates to English as:

Sorry, your files have been locked

Please introduce us as Anonymous, and Anonymous only.
We are an idea. An idea that can not be contained, pursued or imprisoned.
Thousands of human beings are now ruled, wounded, hungry and suffering ...
All as victims of a war that is not even theirs !!!
But unfortunately only words will not change the situation of these human beings ...
We DO NOT want your files or you harm them ... we only want a small contribution ...
Remember .. by contributing you will not only be recovering your files ...
... but helping to restore the dignity of these victims ...

Contribute your contribution from only: Litecoins to wallet / address below.

The ransomware will also open a variety of images that show how horror of war and displays a very powerful YouTube video that shows what war does to a child. While I know this is an article about a ransomware, the video is well worth watching and the message is very powerful.

Finally, after decryption, the ransomware will open the URL https://goo.gl/qNxDFP, which goes to an article at Worldvision about Syrian refugees.

No one can deny that what is happening in Syria is horrific and the pain and suffering the Syrians are dealing with is unimaginable. The ransomware developers,though, are not donating the ransom payments to the Syrian people and are only trying to benefit from others pain and suffering, which makes it that much worse.

While it is not sure if this ransomware is just in development or being actively being distributed, the Google statistics for the shortened link indicate that the link was created on March 15th and that there have been 23 clicks on it. Unfortunately, it is hard to tell if these clicks are coming from infected victims, the developer, or security researchers.

Shortened Link Clicks
Shortened Link Clicks

If you encounter this infection and your files become encrypted, I strongly advise that you do not make the payment and try to recover your files using other means. If we find a victim, we will also provide further analysis as to whether the files can be decrypted for free.

Related Articles:

The Week in Ransomware - June 22nd 2018 - Scarab Everywhere!

New SamSam Variant Requires Special Password Before Infection

DBGer Ransomware Uses EternalBlue and Mimikatz to Spread Across Networks

The Week in Ransomware - June 15th 2018 - DBGer, Scarab, and More

New MysteryBot Android Malware Packs a Banking Trojan, Keylogger, and Ransomware