A new ransomware family infects users’ computers via poorly secured TeamViewer installations and then encrypts all the data, researchers said.
The first signs of this new ransomware infection ended up found on the Bleeping Computer forums, where victims meet asking for help.
At first, users found their files locked and inaccessible, with three new files added to their desktops. These were the ransom notes, which told the user their files were now the property of the encrypted program, and to get them back, victims should contact the author via two email addresses at firstname.lastname@example.org and email@example.com.
The attacker was asking for 0.5 Bitcoin ($200) but said that, depending on the content of the user’s encrypted files, the ransom could go up to 25 Bitcoin ($10,000).
The actual form of the ransomware wasn’t anything different from the other ransomware families. This Surprise ransomware used an AES-256 algorithm to encrypt files, and then RSA-2048 to secure each file’s encryption keys with a master key uploaded to the C&C server.
The ransomware targeted 474 different file extensions and used batch files to remove hard-drive shadow copies, making the auto-recovery process impossible, unless the user stored the same files on an external backup drive.
All infections occurred on PCs that had TeamViewer installed. TeamViewer is a Windows application used to establish a connection between two computers and allow a person to control the other’s PC.
Commonly used in tech support centers, TeamViewer is an app that has a big following among tech-savvy users.
Surprise ransomware victims noticed they all had TeamViewer installed, they went on to search TeamViewer’s logs, and all discovered that someone accessed their computer via TeamViewer, downloaded the suprise.exe file (ransomware’s payload), and then launched it into execution, encrypting their files.
Currently, there are no specifics on how these TeamViewer installations ended up accessed, but there are two possible explanations.
One of them is the presence of a Zero Day bug in TeamViewer the attacker used to open connections by force and push his ransomware.
The second is the attacker scanned the Internet for accessible TeamViewer installations and then used brute-force attacks to get in, using commonly used password strings.
As a result of the TeamViewer aspect, the app developer issued a statement:
“In the last couple of days, some reports surfaced which linked some ransomware infections with TeamViewer. We strongly condemn any criminal activity, however, we can emphasize two aspects:
“(1) Up to now, none of the reported cases is based on a TeamViewer security breach
“(2) Some selected steps will help prevent potential abuse
“Ad (1.): We looked thoroughly at the cases that were reported to us. According to our investigation, the underlying security issues cannot be attributed to TeamViewer. Thus far we have no evidence that would suggest any potential security breach of TeamViewer that attackers exploit. Furthermore, a man-in-the-middle attack can nearly be excluded because of TeamViewer’s deployed end-to-end encryption. Additionally, we have no reason to believe that a brute-force attack is the origin of the reported infections. TeamViewer exponentially increases the latency between connection attempts. It thus takes as many as 17 hours for 24 attempts. The latency is only reset after successfully entering the correct password. TeamViewer not only has a mechanism in place to protect its customers from attacks from one specific computer but also from multiple computers, known as botnet attacks, that are trying to access one particular TeamViewer-ID.”