Ranscam Ransomware Permanently Deletes Files Yet Still Demands Ransom Fee

In a perfect world, we could all grow money on trees and burn it during the winter for a heat source. As it turns out, money is being burned by the way of the computer users victimized by Ranscam Ransomware. Ranscam has been discovered by the Cisco Talos team of security researchers to delete files permanently but still demand ransom money without the ability to restore the deleted files.

During the mass propagation of recent ransomware, most of the threats have followed an unwritten rule of giving computer users back their files after they are held for a substantial ransom fee. Such a process has been quite successful in the extortion of money from victimized computer users. The technique of Ranscam permanently deleting files without any reprise whatsoever but still demanding a ransom fee be paid is utterly ridiculous. However, Ranscam is somehow touting its poorly programmed functions as a viable way to extort money. Doing such isn't going to fly when victimized computer users discover that they would only be throwing money away if the paid Ranscam's ransom.

The actions of Ranscam have been under heavy scrutiny since its discovery earlier this week by researchers from Cisco's Talos team. From the looks of it, Ranscam is prone to start immediately deleting files upon its installation. For now, it's unclear if this initial action of deleting files is part of Ranscam's intentional programming or in fact a bug that is the result of the malware being poorly written.

In addition to deleting common files that Ranscam finds directly on an infected computer's C drive, Ranscam finds and deletes core Windows executable files, which may be responsible for several registry keys that may be associated with Safe Mode system boot processes, running the Task Manager, and System Restore features. By the looks of the system files that Ranscam deletes, the malware doesn't want to allow a user to easily restore their hard drive or boot into Safe Mode in an attempt to eradicate the threat or restore individual files.

Where we find that Ranscam has failed in its ability to justify its demanded ransom fee, is in its ransom notification that it relays. The Ranscam message tells users that their files are now contained in a hidden partition of their hard drive. Though, when examined, the files are not in any other partition, they are in fact permanently deleted from the hard drive by deleting all shadow volume copies. Fundamentally, there is no way of recovering the files that Ranscam deletes.

The fee that Ranscam asks to be paid is 0.2 Bitcoins, which is equal to about $132 USD. Such a fee is one that victimized computer users would be willing to pay. Though, Ranscam many not see many payments once it is found that the files cannot be recovered after the fee is paid as the ransom note claims otherwise.

So far, we have not seen many cases of Ranscam infections, at least nothing close to the massive infection rates from other recent ransomware. We still believe that there may be some flaws with the current variation of Ranscam and its authors may fix them in the near future to make it a viable threat that manages to hold several files for a ransom fee that can be legitimately restored upon paying the ransom fee. For now, Ranscam is the ultimate ransomware scam that flounders in its effort to extort money from victimized computer users.