Numerous data wipers disguised as ransomware was recently spotted on phoney adult websites. These wipers will attempt to delete all data on a targeted device.
These data wipers’ operators use host names that emphasise what they offer. Researchers have seen them offering sensitive photos, with some of their used domain names about explicit content, such as sexy-photo[.]online, nude-girlss.mywire[.]org, and sexyphotos.kozow[.]com.
Based on reports, the explicit sites would prompt users to download an executable coded as SexyPhotos[.]JPG[.]exe that spoofs a JPG image file.
Once a target downloads the file, the fake ransomware payload launches four executables and a batch file in the user’s temp directory. Subsequently, the four executables (open[.]exe, windll[.]exe, windows[.], and del[.]exe) would be executed by the payload.
On the other hand, the single batch file will establish persistence on the device by copying the executables to the Windows Startup folder.
The windows[.]exe payload is then run to deploy three additional files to perform renaming tasks. The renaming task will alter the targeted files to a generic name such as Lock_6[.]file so the victims would not know the files’ original names.
The actors then place the ransom notes under the Readme[.]text. The ransom note asks for about $300 in Bitcoin within a couple of days. Moreover, the threat actors will threaten to double the initial price to $600 if the victim does not provide the ransom in the given time.
The files will be permanently removed by the malware on the attacker’s server if a victim fails to provide the asked ransom.
However, the ransomware is a fake attempt to profit since the data wipers have already removed all the targeted files.
Unfortunately for the victim, the threat actors have faked the ransomware attack, and it is unlikely to recover the files since there is no identified recovery tool within the data wiper.
The fake ransomware attempt shows how careless victims could lose their data, even if simple and unsophisticated malware strikes them.
Fortunately, victims could recover their lost files if they restore their Operating System to its previous state since the malware does not remove shadow copies.