Fake Ransomware

Cybercriminals are spreading a malware threat posing as ransomware via corrupted websites supposedly offering adult and age-restricted content. When activated on the victims' devices, the threat is tracked as the Fake Ransomware acts more closely to a wiper that will leave the impacted data in an unrecoverable state. The weaponized websites have names similar to sexyphotos.kozow(dot)com, nude-girlss.mywire(dot)org and sexy-photo(dot)online.

According to the cybersecurity researchers who first released details about the attack operation, these sites will trick users by automatically activating the download of what is presented as a raunchy image file. If users accept the download, an executable file named 'SexyPhotos.JPG.exe' will be dropped and activated on their computers.

Fake Ransomware Details

When executed, the file will drop four executable and one batch file on the victim's device. The batch file is tasked with establishing persistence by copying all four executables into the Windows Startup folder. When fully established, the Fake Ransomware will target over 70 different file extensions and multiple specifically chosen folders. All targeted files and folders will have their original names changed to 'Locked_[NUmber].Locked_fille,' which will leave them in an unusable state. However, keep in mind that no encryption is taking place. The threat also has an exclusions list containing file extensions that will be left intact.

The Ransom Note And Wipe Mechanic

After it has finished renaming all of its targets, the Fake Ransomware will drop a text file named 'Readme.txt' on the device. The file will then be copied into a multitude of different folders, as well as automatically opened on the screen. The ransom note contains instructions in multiple languages, including English, German, Spanish, French, Turkish and more. The attackers state that the victim's files have been encrypted and impacted users will now have to pay a ransom of $300 if they want to restore their data. The price will be doubled to $600 3 days after the attacks, while after 7 days the decryption codes will be deleted and all locked files will become unsalvageable.

However, as we said earlier, the Fake Ransomware doesn't have an encryption routine. As a result, it is extremely unlikely that even the attackers will be able to restore the affected files because the threat doesn't keep a record of the original file names.