A new family of ransomware has been discovered in recent weeks, which infects computers via the TeamViewer program and then encrypts all data, adding the extension ".surpriseIn all files.
The first signs of this new ransomware infection have been identified in the Bleeping Computer forum, a common website in English, where users seeking help are usually targeted.
Those who have fallen victim to the infection have surprisingly discovered that their files are encrypted and inaccessible and that there are three new extra files on their desktops. These new files contain messages that require a ransom, and inform the user that their files are now encrypted, and to get them back they should contact the ransomware developer via two email addresses nowayout@protonmail.com and nowayout@sigaint.org.
Criminals are asking for 0,5 Bitcoin (~ $ 200), but they report that, depending on the encrypted user's content, ransoms can very easily reach 25 Bitcoin (~ $ 10,000) if needed.
Technically, this ransomware was nothing special compared to similar programs that have recently hit the internet. The so-called Surprise ransomware uses an AES-256 algorithm to encrypt the files, and then an RSA-2048 to secure the encryption keys of each file with a master key that is loaded into a C&C server.
To ransomware στοχεύει σε 474 διαφορετικές extensions αρχείων και χρησιμοποιεί αρχεία δέσμης για να κάνει shadow αντίγραφο του σκληρού δίσκου, καθιστώντας τη διαδικασία αυτόματης ανάκτησης αδύνατη, εκτός εάν ο χρήστης αποθηκεύει τα ίδια αρχεία σε έναν εξωτερικό δίσκο ως αντίγραφο ασφαλείας.
But what was observed as more and more people were infected was that there was a pattern in the infection. Almost all infections occurred on computers that had installed TeamViewer, a Windows application that can be used to create a connection between two computers and allows a user to remotely control a computer.
The program TeamViewer is usually used in support centers and is widespread among ordinary users because in its non-commercial use it is completely free.
The victims of the ransomware surprise noted that everyone had TeamViewer installed. They searched for the movements in TeamViewer logs and discovered that someone with access to their computer through it had downloaded the suprise.exe file (the executable file with the infection), and then executed it on their computer.
There are currently no details on how these computers were accessible through TeamViewer, but there are two possible explanations. One is the presence of a zero-day bug in TeamViewer that scammers used to open links and place their ransomware.
This scenario is a little overturned, mainly because zero-day errors require a lot of skill and special technical knowledge. Those who use simple backdoored ransomware are definitely not qualified to work with zero-day.
The second explanation is that the attacker scans the internet for accessible TeamViewer installations and then uses a series of passwords access hoping to his luck but also to the victim's indifference to have a four-digit code like 1234.
