Lazy but sneaky cybercrooks are slinging a new ransomware variant that falsely claims to have encrypted files when in reality it has deleted them.

Ranscam tricks victims by falsely claiming that files have been moved onto an hidden, encrypted partition.

In reality the malware has deleted files and comprehensively messed with system settings (removing executables associated with System Restores, deleting shadow copies, hobbling Safe Mode etc.) such that it is difficult or impossible to recover from an infection.

Victims are encouraged to pay a 0.2BTC ($125) ransom but in reality the crooks have no mechanism to restore compromised files. The attackers provided the same wallet address for all payments and for all samples identified by Cisco’s Talos security division.

The malware features a fake payment verification process that automatically returns notices of failure, possibly in the hopes that desperate victims might make a fresh payment.

Ranscam scam screenshot (source: Cisco Talos blog post)

The Ranscam campaign does not appear to be widespread. The threat is, nonetheless, noteworthy because it shows hows chancers and skiddies are jumping on the ransomware bandwagon.

“The lack of any encryption (and decryption) within this malware suggests this adversary is looking to ‘make a quick buck’ - it is not sophisticated in anyway and lacks functionality which is associated with other ransomware such as Cryptowall,” Cisco Talos researchers conclude in a blog post.

“While many high profile sources advise organisations and individuals to pay the ransom, Ranscam illustrates the importance of having a sound, offline backup strategy in place rather than a sound ransom payout strategy.” ®