Ransoc: Now there’s more at stake than simply losing your data

December 5, 2016 | Security , Heimdal Security

Written by

Innovation in the hacking space is continuing to develop at an impressive rate. 2016 has been, without a doubt, the year of ransomware with a large number of strains being successfully used to generate revenue. The significant rise in consumer confidence for online shopping and imputing bank account details into a web browser has made it much easier for hackers to persuade victims to give in and conform to their demands. Usually, all it takes is the threat of wiping the victim’s encrypted data… however, a new innovative technique of hacking under the ransomware umbrella is on the rise that doesn’t need to encrypt files.

Given that there are 2 billion people in the world who now use social media and have social media accounts, there is an enormous and growing market for social media exploitations. People are always told to make sure that their social media pages are either cleaned up, private or hidden to ensure that “new potential employers don’t find out what you’re really like outside of work”. But the messages, private images and social secrets kept behind the metaphorical shop window of a social media page can now be used against you.

What is the threat?

Ransoc is a form of malware that connects to social network accounts found on the infected computer, such as LinkedIn, Facebook, Skype and Messenger services and searches for torrent files and other content that suggest illegal activity is occurring on the respective machine. Based on this activity, a tailored ransom note will be displayed on screen demanding payment in exchange for keeping the secret. Although Ransoc isn’t the first ransomware technique to use social engineering to scare the victim into paying, it uses a unique strategy of featuring the potentially destructive images, download history or messages from their social media accounts or machines within the actual ransom note. Rather than encrypting the victims’ files like Locky or Cryptolocker, Ransoc delivers its request via the desktop or browser displaying private social information, threatening to reveal it to the police, employer or friends.

How does Ransoc infiltrate your computer?

Ransoc is related to a browser locker that functions cross platform, leaving all operating systems exposed. The malware infects the system through malvertising traffic, most commonly on adult and illegal websites – thus drawing in the vulnerable. Ransoc will then perform an IP check and send all traffic through the undetectable Tor network. It copies itself and creates a shortcut of the copy, whilst also creating a registry event so that it runs every time Windows starts. The malware then scans local media filenames for strings associated with child pornography, runs several routines interacting with a variety of social networks, examines folders from Torrent software and also gathers webcam data. All of this gathered information can then be used sophisticatedly within the ransom note. To avoid the screen being closed, Ransoc checks every 100 milliseconds for regedit, msconfig, and taskmgr, and kills their processes.

Fortunately, for those in the know, Ransoc only uses a registry auto run key for persistency and can therefore be avoided by rebooting the machine in safe mode. Furthermore, the ransom note requests payment through credit card which can make tracing the cybercriminal easier.

Why is this important for Brigantia partners?

We understand that our partners have a wide range and variety of customers who often challenge them on their knowledge of the latest malware threats to ensure they are receiving a high level of service. It is, therefore, our duty to keep our partners informed of these latest threats and to ensure that we are providing the right solutions to handle even the most advanced malware and security threats.

Although Ransoc isn’t such a widespread epidemic at the moment in the UK, it has the ability to become more popular and start affecting innocent and honest social media users. Internet privacy is held in high regard and taking that right and using it against innocent victims to jeopardise their careers, family life and friendships are arguably more destructive than the deletion of an encrypted hard-drive.

As UK distributors of Heimdal Security, Brigantia could not recommend a better product to eliminate ransomware and other threats such as Ransoc. If unsure of how it operates, please don’t hesitate to get in touch with me for more information or to organise a free webinar demonstration of the service. Heimdal Security is so unique in how it operates – what better way but to ‘hack the hackers’ in order to protect yourself…!

Recommended reading


We are delighted to announce that we won Security Distributor of the Year at the 2021 The Computing Security ...

Cyber Essentials is changing on 24th January 2022 – Will you be ready?

Let’s assume that you know what Cyber Essentials is and that you realise that it is a good basic standard for ...

Why people don’t want to do their training and how to get around it

There are very few people in this world that think, “Oh goody! My next security training module now needs ...