Ransoc Screenlocker

The Ransoc Screenlocker is a Trojan that locks your Windows desktop UI by displaying a fake legal warning and threatens you with legal action unless you pay a credit card fee. This threat is unusual for including personal details into its warnings that it collects from the PC's local files and various Web services, which enhance its appearance of legality. Malware researchers suggest that you restart your PC and disable this threat with accepted safe booting procedures before using anti-malware software for deleting the Ransoc Screenlocker.

Trojans Ransacking Your Social Media for Unusual Purposes

With the constant evolution of the threat industry, screen-locking Trojans have fallen by the wayside compared to the efficiency of extortion-based attacks from file-encrypting threats. However, this category of threat is far from dead, as researchers from Proofpoint doubly confirmed by tracing a new campaign to threatening advertising attacks targeting Web traffic for online erotica. The Ransoc Screenlocker's payload singles out PCs with text strings associated with child pornography and doesn't fully trigger on systems lacking such evidence of wrongdoing.

On a basic level, malware experts found few changes between the Ransoc Screenlocker's ransoming tactics and other screen-locker programs. The Ransoc Screenlocker uses a Registry exploit to launch automatically and a browser window to block your screen with a fake legal message. The Ransoc Screenlocker's innovation comes from how it tailors its pop-up to the victim by adding different, identity-related trivia, including:

• The Trojan may display your location through a Google Maps sub-window.
• It also may collect basic user information, such as your name and address, for displaying after collecting it from social networking accounts like Facebook and Skype. The Ransoc Screenlocker doesn't try to hijack these accounts or gather their passwords, and malware experts find no activity of it sending the collected data to a threat attacker.
• The Trojan also may include a webcam feature to display a live video feed, although this function seems to be a work in progress.

Like traditional screen-locker Trojans, the Ransoc Screenlocker tries to profit from blocking your computer by demanding payment under its pretense of legal action. Rather than the cryptocurrency transactions malware experts see most often, however, the Ransoc Screenlocker uses credit card payments. Since the Ransoc Screenlocker's victims are most likely acquiring the Trojan from browsing corrupted websites and downloading illicit media, its threat actor is gambling on the risk of an easily traceable payment method being worth it clearly.

Taking the Law Regarding Your Computer into Your Hands

The Ransoc Screenlocker's pop-up appears only after finding evidence of pertinent wrongdoing, such as child pornography-related torrents. The Trojan's distribution infrastructure has confirmed ties to multiple Web domains trafficking in illicit and pornographic content, meaning that browser security is integral to blocking the Ransoc Screenlocker's installation. Disabling scripts and advertisements, and downloading content only from legal, reputable sources, cuts off all of this Trojan's infection vectors.

Although the Ransoc Screenlocker's payload is compatible with most OSes, malware experts only are seeing samples of the Ransoc Screenlocker with Windows executable formats. The threat also heights a PC's vulnerable to other threat attacks: PC users who manage to work around the active pop-up will find that the Ransoc Screenlocker is disabling essential applications like the Registry Editor through a repeating, memory-scanning loop.

Use your anti-malware products to remove the Ransoc Screenlocker after switching to Safe Mode, which evades its auto-launching Registry entry. Afterward, victims also may want to contemplate the less obvious dangers of having a hobby that's not only not endorsed by law, but vilified by general society, as well.

Technical Details