The Ransomwared Ransomware Asks for Nude Pictures Instead of Bitcoins
A ransomware family called Ransomwared has been making the news lately, and there are at least two very good reasons for this. For one, it's aimed at individual users rather than large organizations, which is somewhat unusual in this day and age. Perhaps more notable, however, are the demands the crooks make. It looks like it's not all about the bitcoins anymore.
Not many details around the recent Ransomwared campaign
Although quite a lot of people seem to be talking about the newly discovered Ransomwared samples, the actual details around the threat's distribution and operation are thin on the ground. The experts who have examined it have said nothing about how they stumbled upon it. There is no information on the distribution methods and the social engineering used to trick victims into installing the ransomware, and we can only guess how many people have been hit.
What we do know for certain is that the crooks never wanted to make any money from the current campaign.
Crooks encrypt users' files and demand explicit pictures in exchange for the decryptor
Once deployed, Ransomwared encrypts the files it finds on the infected computer and, in the more recent versions, appends the.iwanttits file extension. The lack of technical analysis means that we can't be sure which files Ransomwared targets, but the screenshots security researchers have shared suggest that it only encrypts the data it finds in the following folders:
Unlike most malware families of this type, Ransomwared leaves no ransom note. Instead, once it's ready with the encryption, it displays a popup window with the following message:
"Files are encrypted. Show me your tits to decrypt it."
Clicking the OK button opens another window, which shows that the files in the aforementioned four directories are encrypted. There's a field for the recovery key and a second message:
"You are ransomwared! To recover your files, email us your tits to: email@example.com"
Emsisoft researchers took a closer look at the new samples, and they rightly pointed out that the crooks forgot to mention what sort of "t-ts" they're looking for. The experts suggested that instead of snapping nude photos of themselves and emailing them to an address named after a former porn star, victims might try sending pictures of small songbirds and see if that'll satisfy the criminals' desires. Even that won't be necessary, however, because files encrypted with Ransomwared can be easily decrypted.
Restoring data doesn't need to involve nude pictures
Asking victims for nude pictures in exchange for unlocking their files might be a relatively recent technique employed by the Ransomwared operators, but the malware itself isn't new at all. A few minutes on Google will tell you that the strain was first doing the rounds back in late-2018, and although the demands back then were a bit more traditional, the ransomware operation was pretty much identical. When they saw it for the first time, security researchers analyzed the ransomware family and quickly realized that it's not very advanced.
Ransomwared's encryption mechanism relies on DES (short for Data Encryption Standard), a symmetric-key encryption algorithm developed in the 1970s. It's a weak algorithm at the best of times, and to top it all off, technical analysis of the recent Ransomwared samples revealed that the key that unlocks people's files is stored in the source code of the malware in plain text.
You don't need to poke through the code to decrypt your files, though. At the beginning of the month, Emsisoft released a free decryption tool that can unlock files encrypted by new and old versions of Ransomwared.
Ransomware victims often make the mistake of jumping the gun and yielding to the crooks' demands without thinking about the consequences. As you can see, however, often, a few minutes' worth of research is enough to save you a few crypto coins or, in this case, a whole lot of embarrassment. The said research can also give you an idea of how important backups are.