A new iteration of ransomware was detected over the past few weeks – one that infiltrates a user’s computer via a poorly secured TeamViewer installation. The ransomware then encrypts the user’s data while adding a “.surprise” extension to all infected files.
Bleeping Computer forums were the first places the new ransomware was reported. These forums are a usual setting for ransomware victims to convene to ask fellow users for assistance.
Initially, users would be confused as their files were locked and not accessible through any means. Three new files were also added to these users’ desktops. These files were the hackers’ ransom notes, informing the victims their files were locked. To be able to access their files again, victims were told to contact two email addresses: firstname.lastname@example.org and email@example.com.
The hackers were demanding from 0.5 Bitcoins (approximately $200) to about 25 Bitcoins (approximately $10,000) – depending on the user’s encrypted files’ content.
While it is called “Surprise” ransomware, it isn’t that different from existing ransomwares that have recently showed up online. The ransomware applies an AES-256 algorithm to convert the files, while the RSA-2048 algorithm secures the encryption keys of all the files.
The hackers demanded anywhere from $200 to $10,000 in ransom – depending on the “value” of the victim’s files.
Surprise ransomware attacked 474 different file types and utilized batch files to delete hard drive shadow copies. This effectively made the recovery process nearly impossible unless the affected user had backed up their files on an external backup hard drive that was not infected by the ransomware.
Bleeping Computer’s administrator, Lawrence Abrams, also reported that the attack was a clone of the EDA2 open-sourced ransomware. ED2 first started out as an educational project; however, when it was shared on GitHub, it was abused by a lot of criminals even if it had a workaround in the administrator panel.
EDA2’s author, UTku Sen, used the backdoor to help some ransomware victims retrieve their files for free. Unfortunately, Surprise’s servers went offline after a few weeks – rendering the backdoor useless. Some believe that the ransomware’s creator might not have received enough payments to keep the servers working online.
Current versions of the ransomware won’t be able to save their keys to the servers, meaning the victims that want to pay the ransom would not be able to retrieve their files either.
However, this was not the most interesting detail to come out of the whole debacle. As more users were affected, some sort of pattern appeared. All victims infected by the ransomware had the TeamViewer program installed. It is a Windows application that is used to connect between two devices and allows either user to control the other’s device remotely.
TeamViewer is an application popular among technical support centers, gaining a large following among tech-savvy people. As the affected users noticed they all had TeamViewer on their computers, they soon discovered that this was used to access their devices. The hacker then downloaded the Surprise file, launched the program, and encrypted their files.
There has been no definite explanation as to how TeamViewer was accessed by the hackers but there are possible explanations. One possible scenario would be the hacker making use of a zero-day bug on the program – opening the connections by force and applying the ransomware.
TeamViewer, however, does not think this is possible as someone who is skilled enough to make use of this vulnerability would not have used malware from the “backdoor ransomware family”.
Another scenario would be the hacker scoured the internet for vulnerable TeamViewer installation, then using brute-force attacks to login with the use of common password combinations.
TeamViewer stresses that, “none of the reported cases is based on a TeamViewer security breach,” adding “some selected steps will help prevent potential abuse.”
They recommend downloading their program for legitimate TeamViewer channels. Next, using password that are unique and secure to make sure their accounts cannot be accessed easily.
Another way would be applying two factor authentication to their account. Lastly, users should make sure their devices have not been infected by viruses, spyware, or any other malware that hackers might use to access their data.
Comprehensive multi-device protection for you and your family for up to 6 PCs, Macs, Android, and iOS devices. For more info click here.