Ranscam Ransomware

The Ranscam Ransomware is a threat that deletes the victims' files. The Ranscam Ransomware pretends to be an encryption ransomware Trojan, but the Ranscam Ransomware just deletes the computer user's data. Encryption ransomware is practically everywhere, with a marked increase in the frequency and quantity of these attacks in the last year. Many of these threats use fairly sophisticated encryption and distribution methods, creating payment websites, different types of ransom notes, and a fairly complicated business model. However, this type of sophistication does not apply to the Ranscam Ransomware.

Uncovering the Real Nature of the Ranscam Ransomware

The Ranscam Ransomware is an obviously amateur creation that is designed to prey on victims while taking advantage of the popularity of encryption ransomware Trojan infections being experienced currently. The Ranscam Ransomware claims to encrypt the victim's files but just deletes them using a batch command. After deleting the victim's files, the Ranscam Ransomware will make a ransom message pops up on the victim's computer, demanding the payment of a ransom in a way similar to real encryption ransomware Trojans. However, right after this, the Ranscam Ransomware reboots the victim's computer, deleting everything and not even attempting to encrypt anything. The Ranscam Ransomware will create the same ransom message every time, including the address for a BitCoin wallet. The Ranscam Ransomware's message reads as follows:

You must pay 0.2 Bitcoins to unlock your computer. Your files have been moved to a hidden partition and crypted. Essential programs in your computer have been locked and your computer will not function properly. Once your Bitcoin payment is received your computer and files will be returned to normal instantly.

This message is contained in an image file from a server hosted by Vitalix in Studio City, California. Curiously enough, the HTTP request to the server is not encrypted or obfuscated, making it simple to be intercepted by PC security analysts. Clicking on the payment button loads a different image file named 'nopay.png' which claims that the victim's payment was not verified, and a file was deleted. This may prompt inexperienced computer users into continuing to believe this threat. However, there is absolutely no point in following the Ranscam Ransomware's instructions, which are a complete fabrication. PC security analysts have noted the following facts about the Ranscam Ransomware:

1. There is no hidden partition on the victim's computer.
2. The Ranscam Ransomware deletes all of the victim's files using a batch script launched by a Windows .NET executable.
3. This executable is signed using a certificate registered to reca.net, a domain owned by an Italian gas valve business (the certificate is most probably forged or misappropriated).
4. If the Ranscam Ransomware is stopped in time, it is possible that the files can be recovered.

The Ranscam Ransomware's Means of Attack

Not many infections involving the Ranscam Ransomware have been reported currently, meaning that it is still unknown exactly how the Ranscam Ransomware infections are spreading. Most of the time, these attacks are initiated through a phishing attack. However, since the Ranscam Ransomware is not as widespread, it's possible that a different method is being used to distribute the Ranscam Ransomware. The fact that the Ranscam Ransomware does not deliver on its premise is particularly badly thought out. The whole point of ransomware Trojans is that victims believe that they will get their files back if they pay. If people don't get their files back during the Ranscam Ransomware attack, then it is unlikely that they will continue to pay. In fact, the Ranscam Ransomware threat is just one of a growing trend of creating fake ransomware Trojans that could hurt the RaaS (Ransomware as a Service) model over time since these people will find that their attacks become more difficult to monetize as fewer people decide to pay back. It seems that the Ranscam Ransomware's authors have note received new payments in nearly a month, meaning that it is likely that fewer people are falling for this tactic.