The first thing a new strain of ransomware does is delete files – then it asks for payment before the victim knows what happened.
The new ransomware, called Ranscam, deletes all files after infecting a computer, said researchers from the Cisco Talos team. It is unknown if this is a bug or an intentional feature.
Ranscam not only deletes files, but it also removes core Windows executables responsible for the System Restore feature, hard drive shadow copies, and several registry keys associated with booting into safe mode. Additionally, it also modifies registry keys to disable task manager and also alters the keyboard scancode map, the Cisco researchers said.
All of these end up happening to make file recovery much harder, but also to prevent removing the ransomware from the infected computer.
Once this occurs the ransomware shows its ransom note, which is nothing more than a JPEG image with two sections at the bottom where Ranscam shows a button and a Web form.
The ransomware informs the user that their files are encrypted and moved into a hidden partition. This is all fake. The files are actually dead and gone for minutes when the victim reads this note, and because the ransomware deletes shadow volume copies, there’s no way to recover them.
The button mentioned above is supposed to be pushed when the victim pays the 0.2 Bitcoin ransom at a specific wallet address. Cisco researchers said the button is fake and doesn’t do anything, so paying the ransom will not help victims.
Only the form at the right side of the button works and sends an email to the bad guys.
Cisco said after contacting the Ranscam authors, they were extremely friendly in trying to convince them to pay the ransom. Unfortunately, no amount of kind and polite words can replace the fact their “code” has just deleted all your personal files.
As of now, Ranscam is not as widely distributed as other ransomware threats.