A new family of ransomware has been discovered in recent weeks, which infects computers through TeamViewer and then encrypts all data, adding the ".surprise" extension to all files.
The first signs of this new ransomware infection have been identified in the Bleeping Computer forum, a common website in English, where users seeking help are usually targeted.
Those who have fallen victim to the infection have been surprised to discover that their files are encrypted and inaccessible and that there are three new additional files on their desktops. These new files contain messages that demand a ransom, and inform the user that their files are now encrypted, and to get them back they should contact the ransomware developer via two email addresses, nowayout@protonmail.com and nowayout@sigaint.org.
Criminals are asking for 0,5 Bitcoin (~ $ 200), but they report that, depending on the encrypted user's content, ransoms can very easily reach 25 Bitcoin (~ $ 10,000) if needed.
Technically, this ransomware was nothing special compared to similar programs that have recently hit the internet. The so-called Surprise ransomware uses an AES-256 algorithm to encrypt the files, and then an RSA-2048 to secure the encryption keys of each file with a master key that is loaded into a C&C server.
Ransomware targets 474 different file extensions and uses batch files to make a shadow copy of the hard drive, making the auto recovery process impossible unless the user stores the same files on an external disk as a backup.
But what was observed as more and more people were infected was that there was a pattern in the infection. Almost all infections occurred on computers that had installed TeamViewer, a Windows application that can be used to create a connection between two computers and allows a user to remotely control a computer.
The program TeamViewer συνήθως χρησιμοποιείται σε κέντρα supports and it is widespread among ordinary users because in its non-commercial use it is completely free.
Surprise ransomware victims noticed that they all had TeamViewer installed. They looked for the movements in the TeamViewer logs and found that someone with access on their computer through it, he had downloaded the suprise.exe file (the executable file with the infection), and then run it on their computer.
There are currently no details on how these computers were accessible through TeamViewer, but there are two possible explanations. One is the presence of a zero-day bug in TeamViewer that scammers used to open links and place their ransomware.
This scenario is a little overturned, mainly because zero-day errors require a lot of skill and special technical knowledge. Those who use simple backdoored ransomware are definitely not qualified to work with zero-day.
The second explanation is that the attacker scans the internet for the accessible TeamViewer facilities, and then uses a series of passwords hoping for the victim and the victim to have a four-digit code 1234.