{
	"id": "ed134aea-0b60-4310-a271-a65ea59bb999",
	"created_at": "2026-04-06T00:09:11.683707Z",
	"updated_at": "2026-04-10T03:21:38.586353Z",
	"deleted_at": null,
	"sha1_hash": "39bb03a3d2c7be28a1030c8a5668a82bc59b0295",
	"title": "Ransoc Desktop Locking Ransomware Ransacks Local Files and Social Media Profiles | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1233985,
	"plain_text": "Ransoc Desktop Locking Ransomware Ransacks Local Files and\r\nSocial Media Profiles | Proofpoint US\r\nBy November 14, 2016 Proofpoint Staff\r\nPublished: 2016-11-14 · Archived: 2026-04-05 22:30:23 UTC\r\nOverview\r\nRansomware has exploded in the last year, becoming the malware of choice for many threat actors because of its\r\neasy monetization and ease of distribution, whether via massive email campaigns or through a variety of exploit\r\nkits. Proofpoint research suggests that the number of ransomware variants has grown tenfold since December\r\n2015. While most such malware encrypts a victim's files and demands that a ransom be paid in Bitcoins to decrypt\r\nthem, Proofpoint researchers recently discovered a new variant that scrapes Skype and social media profiles for\r\npersonal information while it scans files and torrents for potentially sensitive information. Instead of encrypting\r\nfiles, it threatens victims with fake legal proceedings if they fail to pay the ransom.\r\nThe Discovery\r\nIn the last week of October, our colleague at FoxIT InTELL, Frank Ruiz, pointed us to a new browser locker\r\nvariant. Unlike traditional encrypting ransomware like Locky, browser lockers are full-screen web apps that\r\nprevent users from accessing their operating systems or closing the browser window. In this case, the browser\r\nlocker displays a fake \"Penalty Notice\" offering to let the victim \"settle [their] case out of court,\" avoiding the\r\nthreat of legal actions and much larger penalties for objectionable content and suspicious activity purportedly\r\ndiscovered on the victim's computer (Figure 1).\r\nhttps://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles\r\nPage 1 of 10\n\nFigure 1: Browser locker “Penalty Notice”\r\nThis browser locker was spread in United States via malvertising traffic (primarily fed by the Plugrush and Traffic\r\nShop traffic exchanges on adult websites) aimed at Internet Explorer on Windows and Safari on OS X.\r\nThis type of threat was endemic between 2012 and 2014 and was frequently seen spreading concurrently via\r\nexploit kit with “Police Locker” malware [1]. Since then, the same kind of traffic has largely focused on exploit\r\nkit distribution of crypto ransomware and other malware as well as Tech Support scams in which victims are told\r\nto contact a fake tech support service to remove malware from their PCs, usually for a fee to be paid by credit\r\ncard. \r\nHowever, in the first week of November, we discovered an unusual malware variant that we believe is tied to the\r\n“Penalty Notice” browlock shown in Figure 1 based on visual and thematic similarities and distribution\r\nmechanisms. Note, however, that while the browser locker functions cross-platform, the related malware, dubbed\r\nRansoc, is a Windows binary.\r\nRansoc\r\nIn a sandbox environment, we observed this new malware perform an IP check and send all of its traffic through\r\nthe Tor network. Further examination revealed that the malware scanned local media filenames for strings\r\nassociated with child pornography.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles\r\nPage 2 of 10\n\nWe also noticed that it was running several routines interacting with Skype, LinkedIn, and Facebook profiles\r\n(Figure 2).\r\nhttps://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles\r\nPage 3 of 10\n\nhttps://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles\r\nPage 4 of 10\n\nFigure 2: Code examining Skype and social media profiles\r\nhttps://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles\r\nPage 5 of 10\n\nThe code also examined folders from Torrent software (Figure 3).\r\nhttps://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles\r\nPage 6 of 10\n\nFigure 3: Code examining Torrent folder contents\r\nTo determine the nature of the malware's interaction with these services, we ran it manually in our sandbox. We\r\nlogged into fake social network accounts then closed the browser and launched the Skype desktop application. As\r\nsuspected, after running the malware, we saw it connecting to the fake Facebook and LinkedIn profiles we created\r\n(Figure 4).\r\nFigure 4: Ransoc capturing photos from social media account profiles\r\nThe malware, which we call Ransoc because of its connections to social media, then displayed a Penalty Notice\r\nthat was visually and functionally similar to the browser locker shown in Figure 1. The new Penalty Notice is\r\nshown in Figure 5. It appears that this penalty notice only appears if the malware finds potential evidence of child\r\npornography or media files downloaded via Torrents and customizes the penalty notice based on what it finds. If\r\nwe manually changed file names to match specific strings, we were able to trigger the penalty notice.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles\r\nPage 7 of 10\n\nFigure 5: New penalty notice with social media profile information and a threat stating that “All Collected Data\r\nwill be made public and the case goes to trial!”\r\nThe ransom message displays accurate personal data captured from Skype and social media profiles, including\r\nprofile photos. It threatens to expose the collected \"evidence\" to the public, with legitimate social profile\r\ninformation being used as a social engineering lure to convince victims that sensitive information may actually be\r\nat risk of exposure. Unlike most ransomware variants, the target here is the victim's reputation rather than their\r\nfiles. Ransoc also includes code that may allow it to access a victim's webcam, although we did not verify this\r\nfunctionality.\r\nThe ransom message is actually a full-screen window that functions much like the browser locker application\r\nshown in Figure 1. However, Ransoc checks every 100ms for regedit, msconfig, and taskmgr, killing the processes\r\nbefore victims have a chance to remove or disable the malware. Ransoc only uses a registry autorun key to persist,\r\nthough, so rebooting in Safe Mode should allow users to remove the malware. The sample we examined had an\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\JavaErrorHandler registry key with a value of a\r\nshortcut pathname ending in 'JavaErrorHandler.lnk', although future versions may use a different key.\r\nThe payment system (Figure 6) is also unusual.\r\nhttps://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles\r\nPage 8 of 10\n\nFigure 6: Ransoc payment page\r\nCredit card payment is almost unheard of in ransomware schemes. While it removes the hassle and confusion for\r\nmany victims associated with Bitcoin processing, it also potentially allows law enforcement to trace activity back\r\nto the cybercriminal more easily.\r\nThis fairly bold approach to ransom payments suggests the threat actors are quite confident that people paying the\r\nransom have enough to hide that they will probably not seek support from law enforcement. In fact, while Ransoc\r\nmay seem to be motivated by vigilantism against genuine criminals, the motives are likely less-than-altruistic, as\r\nthe attackers target users who will be unlikely to resist or inform the authorities and thus increase the likelihood of\r\npayment. This theory is further bolstered by the fact that most victims encounter this malware via malvertising on\r\nadult websites and the penalty notice only appears when Ransoc encounters potential evidence of illegally\r\ndownloaded media (via BitTorrent) and certain types of pornography. To encourage payment, the ransom note also\r\nclaims that money will be sent back if the victim is not caught again in the 180 days.\r\nConclusion\r\nhttps://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles\r\nPage 9 of 10\n\nAlthough exploit kit activity has dropped off precipitously over the past year, malvertising activity remains strong,\r\nwith threat actors exploring new ways to infect victims and extort money through this vector. By incorporating\r\ndata from social media accounts and Skype profiles Ransoc creates a coercive, socially engineered ransom note to\r\nconvince its targets that they are in danger of prosecution for their browsing habits and the contents of their hard\r\ndrives. With bold approaches to collecting payments, the threat actors appear confident in their targeting,\r\nintroducing new levels of sophistication to ransomware distribution and monetization.\r\nIndicators of Compromise (IOCs)\r\nDate Domain IP Comment\r\n2016-10-27 cis-criminal-report[.]com 5.45.86.171 Browlock for IE Windows\r\n2016-10-27 criminal-report[.]in 5.45.86.171 Browlock for Safari OSX\r\n2016-11-03 violation-report[.]in 5.45.86.171 Browlock for IE and Safari\r\n2016-11-02 latexfetishsex[.]com 78.47.134.204 Intermediate Redirector/TDS\r\n2016-11-03 italy-girls[.]mobi 5.9.86.131 Intermediate Redirector/TDS\r\n2016-11-10 N/A 5.45.86.148 IP found in the Ransoc\r\nsha256 Comment\r\nfee53dc4e165b2aa45c3e7bd100b49c367aa8b7f81757617114ff50a584a1566 Ransoc PenaltyNotice\r\nReferences\r\n[1] http://malware.dontneedcoffee.com/2014/05/police-locker-available-for-your.htm\r\nSource: https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles\r\nhttps://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles"
	],
	"report_names": [
		"ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles"
	],
	"threat_actors": [],
	"ts_created_at": 1775434151,
	"ts_updated_at": 1775791298,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/39bb03a3d2c7be28a1030c8a5668a82bc59b0295.pdf",
		"text": "https://archive.orkl.eu/39bb03a3d2c7be28a1030c8a5668a82bc59b0295.txt",
		"img": "https://archive.orkl.eu/39bb03a3d2c7be28a1030c8a5668a82bc59b0295.jpg"
	}
}