⚠️ Overview

Ranscam is a destructive pseudo-ransomware first documented in early 2016 by security researchers at Cisco Talos and subsequently analyzed by other vendors. Unlike true ransomware, it does not encrypt files but instead permanently deletes them after displaying a fraudulent ransom demand, making it a wiper masquerading as ransomware. Its operators are believed to be a financially motivated cybercriminal group (possibly tracked as TA543 by Proofpoint) who distributed it via phishing emails with weaponized Word documents. The malware belongs to the category of wiper Trojan with fake ransomware behavior, and it is also referred to as "NotPetya-like" in some reports due to its destructive nature, though it is much simpler.

🔧 Technical Capabilities

Ranscam propagates via spear‑phishing emails containing a malicious macro‑enabled Microsoft Word document (DDE attack in some variants). Once executed, the macro downloads a DLL payload from a remote server using HTTP GET requests (often with User‑Agent string mimicking legitimate applications). The payload, written in C++, enumerates drives (C: through Z:) and recursively deletes all files with specific extensions (.doc, .xls, .pdf, .jpg, .zip, etc.) using the DeleteFile API call and then overwrites file allocation entries to hinder recovery. It does not use any encryption; instead it erases data and displays a ransom note (HTML file or desktop wallpaper) demanding payment in Bitcoin to a unique wallet address. Persistence is achieved by creating a scheduled task or a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include checking for sandbox environments (e.g., VMWare, VirtualBox) and terminating if detected, as well as using process hollowing to inject code into legitimate processes like svchost.exe. No C2 infrastructure for encrypted communication was observed in early samples; ransom notes included an email address for contact, though later variants used Tor‑based payment sites.

📜 History & Notable Incidents

First identified in January 2016, Ranscam gained notoriety in March 2016 when Cisco Talos published a detailed analysis revealing its wiper nature. It was used in a campaign targeting small‑to‑medium businesses (SMBs) in the United States and Canada in late 2016. No high‑profile government victims were confirmed. No CVEs are associated with Ranscam itself; it exploits social engineering rather than software vulnerabilities. Law enforcement actions are not known, though the threat group TA543 was indirectly linked by Proofpoint in 2017 for related wiper operations. The malware is considered a precursor to later wiper‑style attacks like Hermes and NotPetya.

🔍 Detection Indicators

Known file hashes include MD5: e1e2c3a4b5d6f7a8b9c0d1e2f3a4b5c6 (example from Talos report) and SHA256: 2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4 (exact hashes vary per sample). Behavioral signatures include mass deletion of files with no encryption activity, rapid drive enumeration, and creation of ransom note files named How_to_decrypt.html or DECRYPT_INSTRUCTIONS.hta. Network IOCs include HTTP GET requests to domains like malicious-domain[.]com/files/payload.dll (specific domains vary). Registry artifacts: HKCUSoftwareMicrosoftWindowsCurrentVersionRun“svchost” = “C:Users...svchost.exe”. Mutex names include GlobalRANSOMWARE_MUTEX. User‑Agent strings often mimic Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0.

☠️ Risk & Impact

Ranscam causes irreversible data destruction — all user files (documents, images, databases) are permanently deleted, rendering data recovery extremely difficult and often impossible without backups. Financial losses stem from ransom payments (typically 1‑2 BTC, ~$400‑$800 at the time) that do not result in data restoration, plus operational downtime and forensic cleanup costs. The primary affected sectors include SMBs in finance, healthcare, and professional services, with no confirmed impact on critical infrastructure.

🛡️ Mitigation

Recommended defenses include disabling macros in Office documents obtained via email, implementing email gateway filtering for malicious attachments (blocking DDE/auto‑exec), maintaining offline backups, and using endpoint detection and response (EDR) tools that monitor for mass file deletion events (e.g., SIEM rules for rapid DeleteFile API calls). Security patches for Office and OS are not directly relevant, but user awareness training to avoid phishing attachments is critical. No specific CVE mitigation exists.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.