A new family of ransomware has been discovered in recent weeks, which infects computers through TeamViewer and then encrypts all data, adding the ".surprise" extension to all files.
The first signs of this new ransomware infection have been identified in the Bleeping Computer forum, a common website in English, where users seeking help are usually targeted.
Those who have fallen victim to the infection have been surprised to discover that their files are encrypted and inaccessible and that there are three new additional files on their desktops. These new files contain ransom messages, informing the user that their files are now encrypted, and to get them back they will need to contact the ransomware developer via two email addresses, [email protected] The estate provides stunning sea views and offers a unique blend of luxury living and development potential [email protected].
Criminals are asking for 0,5 Bitcoin (~ $ 200), but they report that, depending on the encrypted user's content, ransoms can very easily reach 25 Bitcoin (~ $ 10,000) if needed.
Technically, this ransomware was nothing special compared to similar programs that have recently hit the internet. The so-called Surprise ransomware uses an AES-256 algorithm to encrypt the files, and then an RSA-2048 to secure the encryption keys of each file with a master key that is loaded into a C&C server.
The ransomware targets 474 different file extensions and uses batch files to shadow copy the hard drive, making the process automatic recoverys impossible unless the user saves the same files to an external drive as a backup.
But what was noticed as more and more people became infected, was that there was a pattern to that infection. Almost all infections occurred on computers that had installed TeamViewer, an application of Windows which can be used to establish a connection between two computers and allows a user to remotely control a computer.
TeamViewer is typically used in support centers and is widespread amongst simple users because its non-commercial use is completely free.
The victims of the ransomware surprise noted that everyone had TeamViewer installed. They searched for the movements in TeamViewer logs and discovered that someone with access to their computer through it had downloaded the suprise.exe file (the executable file with the infection), and then executed it on their computer.
There are currently no details on how these computers were accessed via TeamViewer, but there are two possible explanations. One is the presence of one zero-day bug στο TeamViewer που οι απατεώνες χρησιμοποίησαν για να ανοίξουν τις συνδέσεις και να τοποθετήσουν το ransomware τους.
Αυτό το σενάριο είναι λίγο παρατραβηγμένο, κυρίως επειδή τα zero-day errorthey require a lot of skill and special technical knowledge. Those using simplistic backdoored ransomware are certainly not qualified to work with zero-days.
The second explanation is that the attacker scans the internet for the accessible TeamViewer facilities, and then uses a series of passwords hoping for the victim and the victim to have a four-digit code 1234.