The most common ways to distribute ransomware is through malicious advertising campaigns, exploit kits or email, although the distribution form of new ransomware, known as Surprise, has caught both users and security researchers by surprise. Surprise, a name that has received this ransomware for the extension that it adds to all the infected files, is a new ransomware detected for the first time on March 10 by a few antivirus signatures, developed from the free EDA2 project, a code ransomware open that was published for educational purposes but, as always, is being used to do evil. This ransomware has arrived, as the name suggests, by surprise to all users. The victims of the same one have found that, suddenly, from one day to another all their files had been codified adding the extension “.surprise” in all the photos, documents and personal files of the system. Once the infection is finished, the malware leaves 3 files on the desktop with the necessary instructions to recover them. The author of this ransomware hides behind two email accounts, one in ProtonMail and the other in Sigaint. This ransomware uses an AES-256 algorithm to encrypt the files with an RSA-2048 master key, which is stored on a remote control server. This malware is able to detect 474 different file formats to encrypt them, delete them safely and prevent their recovery through backup copies unless they are stored identically on an external unit disconnected from the computer at the time of infection. To recover the files, the hacker asks for a payment of 0.5 Bitcoin, about $786.25, however, depending on the type and number of files that have been encrypted, the payment can amount to 25 Bitcoin, about $393124.88. It is not known how the hacker managed to connect to the TeamViewer servers to distribute Surprise. The ransomware itself is no surprise since roughly it is like any other. However, the most curious thing about it is the way to infect users. Although at first there was nothing clear, as the number of victims increased, a pattern could be observed, and all of them had installed the TeamViewer remote control tool in their systems. Analyzing the records of this tool, all the victims have been able to see how an unauthorized user had connected to their computers, had downloaded a file called “surprise.exe” (the ransomware) and had executed it manually, thus giving rise to the infection. At the moment it is not known how the hacker has managed to connect remotely to the victims’ computers, although there are two possible options:- The first, although a little complicated, is that the pirate has a zero-day vulnerability that allows him/her to connect remotely to any TeamViewer server. TeamViewer security officers have audited their tool after the first infections and ensure that this is not possible, which leads to the second option. The second one and probably more likely is that it uses a network scanning tool to detect any connected TeamViewer server and, subsequently, manages to access the systems of its victims through brute force attacks. Both security companies such as Bleeping Computer and TeamViewer security officers are studying the case to shed light on how it has been possible for a hacker to distribute this new ransomware through this remote control tool. As recommended directly by TeamViewer, if we want to avoid any surprises, it is advisable to protect the TeamViewer sessions with a complex password, activate double authentication, keep the server updated to the latest version and finally, make sure that the computer attack does not come from any other branch (for example, other malware installed in the system). Those responsible for this remote control tool also recommend that all victims go to their corresponding police departments in order to file a report and be able to help, as much as possible, to identify those responsible. It is also advisable not to pay because, even if we do, we do not have the guarantee to recover our files, especially when the last pings against the C & C server have not returned a response. What do you think of this new ransomware and the way of infection? Simply share all your views and thoughts in the comment section below.
Δ