A new family of ransomware has been discovered in recent weeks, which infects computers through the preletterτος TeamViewer και στη συνέχεια κρυπτογραφεί όλα τα δεδομένα, προσθέτοντας τη επέκταση ".surprise" σε όλα τα αρχεία.
The first signs of this new ransomware infection were spotted on the Bleeping Computer forum, a common English-language website where users who ask for help.
Those who have fallen victim to the infection have surprisingly discovered that their files are encrypted and inaccessible and that there are three new extra files on their desktops. These new files contain messages that require a ransom, and inform the user that their files are now encrypted, and to get them back they should contact the ransomware developer via two email addresses nowayout@protonmail.com and nowayout@sigaint.org.
Criminals are asking for 0,5 Bitcoin (~ $ 200), but they report that, depending on the encrypted user's content, ransoms can very easily reach 25 Bitcoin (~ $ 10,000) if needed.
Technically, this ransomware was nothing special compared to similar programs that have recently hit the internet. The so-called Surprise ransomware uses an AES-256 algorithm to encrypt the files, and then an RSA-2048 to secure the encryption keys of each file with a master key that is loaded into a C&C server.
The ransomware targets 474 different file extensions and uses batch files to make a shadow copy of the hard drive, making the automatic recovery process impossible unless the user saves the same files to an external drive as a backup.
But what was observed as more and more people were infected was that there was a pattern in the infection. Almost all infections occurred on computers that had installed TeamViewer, a Windows application that can be used to create a connection between two computers and allows a user to remotely control a computer.
TeamViewer is typically used in support centers and is widespread amongst simple users because its non-commercial use is completely free.
Surprise ransomware victims noticed that they all had TeamViewer installed. They looked for the movements in the TeamViewer logs and found that someone with access on their computer through it, he had downloaded the suprise.exe file (the executable file with the infection), and then run it on their computer.
There are currently no details on how these computers were accessible through TeamViewer, but there are two possible explanations. One is the presence of a zero-day bug in TeamViewer that scammers used to open links and place their ransomware.
This scenario is a little overturned, mainly because zero-day errors require a lot of skill and special technical knowledge. Those who use simple backdoored ransomware are definitely not qualified to work with zero-day.
The second explanation is that the attacker scans the internet for accessible TeamViewer installations and then uses a series of codeof access hoping to his luck but also to the indifference of the victim to have a four-digit code like 1234.