{"id":12583,"date":"2016-07-13T09:42:31","date_gmt":"2016-07-13T13:42:31","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/?p=12583"},"modified":"2019-11-15T22:51:25","modified_gmt":"2019-11-15T11:51:25","slug":"ranscam-ransomware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/ranscam-ransomware\/12583\/","title":{"rendered":"Ranscam doesn’t care if you pay the ransom"},"content":{"rendered":"

When ransomware hits, it\u2019s natural to wonder if it might be worth paying the ransom to get your electronic life back with a minimum of hassle. At Kaspersky Lab, we do not recommend paying ransom anyway, but in the case of new ransomware called Ranscam, there\u2019s really no point: It deletes the files regardless.<\/p>\n

Threatpost reports on the new malware<\/a>, noting that in contrast with recent ransomware of breathtaking proficiency, Ranscam seems either lazy or not particularly competent. A sledgehammer among scalpels.<\/p>\n

Unfortunately, a sledgehammer is a pretty destructive tool. Whereas sophisticated ransomware aims to extract victims\u2019 money and then, likely as not, restores the files or file systems it encrypted in the attack, Ranscam is just a scam.<\/p>\n

How Ranscam works<\/h3>\n

The first thing users will see after the malware has found its way into their system is the ransom note. It looks like the ransom notes that other pieces of ransomware show, but with one seemingly insignificant difference. Instead of directing users to an external location where they are supposed to verify the ransom payment, this note shows a clickable button: \u201cI made payment, please verify.\u201d<\/p>\n

\"RansomNote\"<\/a><\/p>\n

In reality, the difference is very significant. Whenever a user clicks the button, a message appears, saying the payment was not verified and that one file will be deleted each time the button is pressed without the criminals behind Ranscam having been paid. That is probably supposed to make users nervous and persuade them to pay several times.<\/p>\n

In fact it\u2019s just a bluff \u2014 but that is not good news for the victim. The ransomware states that it has moved the user\u2019s files into a \u201chidden, encrypted partition,\u201d but in reality, it deleted them before even showing the ransom message. So there is no way to retrieve them.<\/p>\n

As researchers at Cisco\u2019s Talos Security Intelligence and Research Group explain<\/a>, simply destroying the files means that the criminals don\u2019t need to learn the fine points of cryptoblocking and locking.<\/p>\n

At this point Ranscam has not been associated with any major attacks; it simply serves as a reminder that paying ransom may not work (not to mention, paying reinforces criminals\u2019 idea that ransomware is a great way to make money).<\/p>\n

There is no way to get back the files deleted by Ranscam; the only way to protect yourself is to be proactive. So we recommend a simple plan<\/p>\n

    \n
  1. Don\u2019t open attachments and don\u2019t follow suspicious links.\u00a0<\/strong>Not much is known about how Ranscam spreads, but the usual suspects are e-mail attachments and malicious or hacked websites. So if you aren\u2019t 100% sure, don\u2019t click.<\/li>\n
  2. Back up your data regularly and store the backups on an offline storage device.\u00a0<\/strong>If some ransomware encrypts or deletes your files, you\u2019re covered \u2014 you have copies.<\/li>\n
  3. Use a reliable antivirus solution.\u00a0<\/strong>Kaspersky Internet Security<\/a> detects Ranscam as\u00a0Trojan-Ransom.MSIL.Agent\u00a0<\/b>and doesn\u2019t give the ransomware a chance to do anything bad to your files.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"

    Ranscam deletes your files and then demands ransom to restore them, or it will delete them. Yes, in that order.<\/p>\n","protected":false},"author":2045,"featured_media":12593,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2646],"tags":[36,420,726,97,422],"class_list":{"0":"post-12583","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-malware-2","10":"tag-ransomware","11":"tag-scam","12":"tag-security-2","13":"tag-threats"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/ranscam-ransomware\/12583\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/ranscam-ransomware\/7402\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/ranscam-ransomware\/7428\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/ranscam-ransomware\/7375\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/ranscam-ransomware\/8707\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/ranscam-ransomware\/8595\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/ranscam-ransomware\/12488\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/ranscam-ransomware\/2265\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/ranscam-ransomware\/12583\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/ranscam-ransomware\/5820\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/ranscam-ransomware\/6478\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/ranscam-ransomware\/5116\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/ranscam-ransomware\/8171\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/ranscam-ransomware\/11991\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/ranscam-ransomware\/12488\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/ranscam-ransomware\/12583\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/malware-2\/","name":"malware"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/12583","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/2045"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=12583"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/12583\/revisions"}],"predecessor-version":[{"id":24499,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/12583\/revisions\/24499"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/12593"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=12583"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=12583"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=12583"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}