{
	"id": "2ff48b38-4fa7-4549-8ecf-c660e54fa354",
	"created_at": "2026-04-06T00:21:36.525376Z",
	"updated_at": "2026-04-10T13:12:22.133796Z",
	"deleted_at": null,
	"sha1_hash": "2fd51d616865c21a209046dd1ef8e147a816b991",
	"title": "When Paying Out Doesn't Pay Off",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1981275,
	"plain_text": "When Paying Out Doesn't Pay Off\r\nBy Edmund Brumaghin\r\nPublished: 2016-07-11 · Archived: 2026-04-05 15:23:44 UTC\r\nMonday, July 11, 2016 13:19\r\nThis blog post was authored by Edmund Brumaghin and Warren Mercer\r\nSummary\r\nTalos recently observed a new ransomware variant targeting users. This ransomware shows that new threat actors\r\nare continuing to enter the ransomware market at a rapid pace due to the lucrative nature of this business model.\r\nAs a result, greater numbers of unique ransomware families are emerging at a faster rate. This sometimes results\r\nin complex variants emerging or in other cases, like this one, less sophisticated ones. In many cases these new\r\nransomware threats share little resemblance to some of the more established operations in their approach to\r\ninfecting systems, encrypting/removing files, or the way in which they attempt to coerce victims into complying\r\nwith their ransom demands.\r\nRanscam is one of these new ransomware variants. It lacks complexity and also tries to use various scare tactics to\r\nentice the user to paying, one such method used by Ranscam is to inform the user they will delete their files\r\nduring every unverified payment click, which turns out to be a lie. There is no longer honor amongst thieves.\r\nSimilar to threats like AnonPop, Ranscam simply delete victims’ files, and provides yet another example of why\r\nthreat actors cannot always be trusted to recover a victim’s files, even if the victim complies with the ransomware\r\nauthor’s demands. With some organizations likely choosing to pay the ransomware author following an infection,\r\n Ranscam further justifies the importance of ensuring that you have a sound, offline backup strategy in place\r\nrather than a sound ransom payout strategy. Not only does having a good backup strategy in place help ensure that\r\nsystems can be restored, it also ensures that attackers are no longer able to collect revenue that they can then\r\nreinvest into the future development of their criminal enterprise.\r\nInfection Details\r\nRansom Note\r\nThe first thing a compromised user would likely notice is the ransom note that is displayed by the malware, and it\r\nis interesting for several reasons. First, it purports to have moved the user’s files to a “hidden, encrypted partition”\r\nrather than simply leaving the files encrypted in their current storage location. Additionally, it is displayed by the\r\nmalware after each reboot following the initial compromise. It consists of a JPEG that is temporarily stored on the\r\nuser’s desktop, as well as two framed elements that are remotely retrieved using Internet Explorer each time the\r\nnote is displayed.\r\nhttp://blog.talosintel.com/2016/07/ranscam.html\r\nPage 1 of 9\n\nIn the lower portion (which is the portion rendered using elements gathered from various web servers using\r\nInternet Explorer), rather than directing users to an external location to verify their payment it contains a clickable\r\nbutton that when pressed claims that it is verifying payment. It will then display a verification failure notice and\r\nthe ransom note threatens to delete one file each time the button is clicked without payment having been\r\nsubmitted.\r\nWhat is actually occurring is the malware is simply making two HTTP GET requests to obtain the PNG images\r\nthat it uses to simulate the verification process. There is no actual verification occurring.\r\nhttp://blog.talosintel.com/2016/07/ranscam.html\r\nPage 2 of 9\n\nThe unfortunate reality is, all of the user’s files have already been deleted and are unrecoverable by the\r\nransomware author as there is no capability built into Ranscam that actually provides recovery functionality. The\r\nauthor is simply relying on “smoke and mirrors” in an attempt to convince victims that their files can be recovered\r\nin hopes that they will choose to pay the ransom. The lack of any encryption (and decryption) within this malware\r\nsuggests this adversary is looking to ‘make a quick buck’ - it is not sophisticated in anyway and lacks functionality\r\nwhich is associated with other ransomware such as Cryptowall.\r\nWhat Actually Happens\r\nThis ransomware is packaged as a .NET executable that is signed using a digital certificate issued by reca[.]net.\r\nOn the sample analyzed, this digital certificate appears to have been issued on July 06, 2016.\r\nhttp://blog.talosintel.com/2016/07/ranscam.html\r\nPage 3 of 9\n\nWhen the victim executes this file, it performs several actions to maintain persistence on the system. First, it\r\ncopies itself into %APPDATA%\\ and uses Task Scheduler to create a scheduled task that is configured to start\r\nitself each time the system is started. Additionally, it unpacks and drops an executable into %TEMP%\\.\r\nhttp://blog.talosintel.com/2016/07/ranscam.html\r\nPage 4 of 9\n\nThe executable called by this scheduled task uses the Windows Command Processor to call a batch file which is\r\nresponsible for the majority of the destructive activity associated with this ransomware.\r\nThe batch file simply iterates through several folders within the victim’s file system, mainly user profile folders as\r\nwell as several defined application directories, however instead of encrypting the victim’s files, it simply deletes\r\nall contents.\r\nThe script also performs several other destructive actions on the infected system, including the following:\r\nDeleting the core Windows executable responsible for System Restores\r\nDeleting shadow copies\r\nDeleting several registry key associated with booting into Safe Mode\r\nSetting registry keys to disable Task Manager\r\nSetting the Keyboard Scancode Map The script then uses powershell to facilitate the retrieval of the JPEG\r\nused to render the ransom note.\r\nhttp://blog.talosintel.com/2016/07/ranscam.html\r\nPage 5 of 9\n\nOnce the aforementioned activities are completed, the script then forces a system shutdown. These activities are\r\nrepeated each time the system boots up following the infection, with the scheduled task calling the malware to\r\ncheck for new files in various directories and deleting them if they exist, displaying the ransom note and\r\neventually forcing a system shutdown.\r\nAn open file listing from the web server hosting the contents used by the ransom note is below. We identified this\r\non one of the threat actor’s web servers which used a default configuration - no attempt was (or has) been made by\r\nthe attacker to obfuscate this data.\r\nDuring our analysis we were “coincidentally” unable to successfully perform the required Bitcoin transaction and\r\nrequested that the ransomware author send us payout instructions via an email we registered.\r\nShortly after making our request, we received the following email:\r\nhttp://blog.talosintel.com/2016/07/ranscam.html\r\nPage 6 of 9\n\nWe then decided to see what we could find out about this threat actor by asking them to help us out with\r\nsubmitting the payout.\r\nA couple of hours later we received the following response with further instructions as well as the “helpful”\r\nrecommendation that we make the payment prior to bank closure the following day.\r\nUnfortunately we were unable to elicit further communication from the threat actor, however this highlights the\r\ncontinued willingness of ransomware operations to provide ongoing technical support to victims to maximize the\r\nlikelihood that they will receive payouts.\r\nThe adversaries decided using Bitcoin would be a sensible approach as they most likely believe the anonymity\r\nfactor can be employed and that they can’t get caught, however, one major opsec failure was featured here,\r\naddress re-use. The attackers provided and used the same wallet address for all payments and for all samples Talos\r\nencountered. The address in question was:\r\n1G6tQeWrwp6TU1qunLjdNmLTPQu7PnsMYd\r\nWe reviewed all transactions associated with this address and found a total of $277.61 had been transacted\r\nsuggesting the attackers have used this wallet previous to releasing this shoddy implementation of ransomware --\r\nwe based this on the fact that the digital signature used to sign this executable was issued on July 6th. There have\r\nbeen no transactions associated with this wallet since 29th June 2016.\r\nhttp://blog.talosintel.com/2016/07/ranscam.html\r\nPage 7 of 9\n\nConclusion\r\nAs Ranscam shows, threat actors cannot simply be trusted and often use deception as a means to achieve their\r\nobjective, which in this case is convincing victims to pay out. This is because they never intended on providing a\r\nmeans to retrieve or recover the victim’s files in the first place.  \r\nCurrently the Ranscam campaign does not appear to be widespread and there have been no large-scale email spam\r\ncampaigns currently leveraging this scareware. Ranscam shows the desire of adversaries to enter the\r\nransomware/scareware arena. They do not need to use novel attacks or even fully functional ransomware, as seen\r\nhere, this appears to be an amateur malware author and is not a sophisticated campaign. The main component of\r\nRanscam is scaring victims into paying, and they do not even manage to facilitate that at times due to failures in\r\nthe frame rendering used to deliver their malware payment screen.\r\nThe key takeaway Talos would like to offer is that a comprehensive backup solution which can offer a realistic\r\nrecovery time objective (RTO) is key to battling ransomware. Maintaining the ability to bring an infected system\r\nback to a known-good configuration as quickly as possible should be the goal. This ensures that adversaries do not\r\nbenefit from revenue streams that they can use to further refine their tactics, techniques and procedures.\r\nAdditionally, these backups should be tested at a regular periodicity to ensure that they remain functional,\r\neffective, and continue to meet the needs of the organization as those needs may change over time.\r\nBy paying ransomware authors, organizations are contributing to the proliferation of ransomware by providing\r\nthreat actors with the capital necessary to mature their capabilities and infect future victims. Additionally,\r\norganizations that pay their attackers make themselves a target for future compromise if they are not successful in\r\nor otherwise lack the capability needed to ensure that they have fully eradicated the source of their initial\r\ncompromise. They also identify themselves as organizations that are willing to pay ransoms, thus they may be\r\ntargeted more often as threat actors know that they have a higher likelihood of making money by successfully\r\ninfecting them.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttp://blog.talosintel.com/2016/07/ranscam.html\r\nPage 8 of 9\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nThe Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network\r\nactivity by threat actors.  ESA can block malicious emails sent by threat actors as part of their campaign.\r\nIndicators of Compromise (IOCs)\r\nHashes:\r\n9541fadfa0c779bcbae5f2567f7b163db9384b7ff6d44f525fea3bb2322534de      (SHA256)\r\n7a22d6a14a600eee1c4de9716c3003e92f002f2df3e774983807a3f86ca50539    (SHA256)\r\nb3fd732050d9b0b0f32fafb0c5d3eb2652fd6463e0ec91233b7a72a48522f71a    (SHA256)\r\nHosts Contacted:\r\ns3-us-west-1[.]amazonaws[.]com    54[.]231[.]237[.]25\r\ncrypted[.]site88[.]net                       31[.]170[.]162[.]63\r\npublicocolombiano[.]com               192[.]185[.]71[.]136  \r\nwww[.]waldorftrust[.]com              205[.]144[.]171[.]114\r\ncryptoglobalbank[.]com                  31[.]170[.]160[.]179\r\nFiles Dropped:\r\n%APPDATA%\\winstrsp.exe\r\n%TEMP%\\winopen.exewinopen.exe  \r\nRegistrant Email:\r\ncryptofinancial[@]yandex[.]com\r\nSource: http://blog.talosintel.com/2016/07/ranscam.html\r\nhttp://blog.talosintel.com/2016/07/ranscam.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://blog.talosintel.com/2016/07/ranscam.html"
	],
	"report_names": [
		"ranscam.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434896,
	"ts_updated_at": 1775826742,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2fd51d616865c21a209046dd1ef8e147a816b991.pdf",
		"text": "https://archive.orkl.eu/2fd51d616865c21a209046dd1ef8e147a816b991.txt",
		"img": "https://archive.orkl.eu/2fd51d616865c21a209046dd1ef8e147a816b991.jpg"
	}
}