An unusual combination of browser locker and ransomware, dubbed Ransoc by researchers, is targeting users who visit adult sites.

Ransoc targets victims’ reputation

The malware is delivered via malvertising, and hits only Windows users. But it does not encrypt the victim’s files – instead, it effectively holds their reputation for ransom.

Once it’s run on a victim’s computer, it begins to scan local media filenames for strings associated with child pornography and media files downloaded via torrents, and runs several routines whose aim is to collect information from the victim’s Skype, Facebook, and LinkedIn accounts.

All this information will be used to customize a fake “penalty notice” that will be shown to the victim.

The notice threatens to expose the victim’s violation of intellectual property rights and their suspicious online activity if they don’t pay a fine.

The information pulled from the social media profiles is used as proof that everyone in their social and professional circles might end up hearing about this if the victim does not pay up. As an added enticement, the message says that the money the victims pay will be refunded to them if they are not caught again in the next 180 days.

Another very unusual thing about Ransoc is that the payment of the fine is supposed to be effected via credit card:

“This fairly bold approach to ransom payments suggests the threat actors are quite confident that people paying the ransom have enough to hide that they will probably not seek support from law enforcement,” Proofpoint researchers noted.

“In fact, while Ransoc may seem to be motivated by vigilantism against genuine criminals, the motives are likely less-than-altruistic, as the attackers target users who will be unlikely to resist or inform the authorities and thus increase the likelihood of payment.”

How to get rid of Ransoc without paying

The fake “penalty notice” a full-screen window that prevent victims from closing the browser window or accessing the underlying operating system.

“Ransoc checks every 100 milliseconds for regedit, msconfig, and taskmgr, killing the processes before victims have a chance to remove or disable the malware,” the researchers shared.

But the malware only uses a registry autorun key to assure persistence, so rebooting the machine in Safe Mode should allow users to remove the malware, they noted.

“Ransomware authors are trying to find new ways to make their attacks more convincing and to ensure the target is more likely to pay the ransom. The Ransoc variant is pushing the boundaries by going beyond the standard file encryption to incorporate social engineering techniques and targeting sensitive personal information,” Thomas Fischer, threat researcher and security advocate at Digital Guardian, commented for Help Net Security.