A new ransomware strain provides victims with a QR code they can scan in order to make a mobile ransom payment.
Sven Carlsen, an expert from security firm Avira, explains in a blog post that the ransomware, dubbed Rokku, is making the rounds via spear-phishing emails – a common method of delivery for crypto-ransomware.
Once downloaded onto a victim’s computer, however, the malware quickly begins to distinguish itself from Locky, Teslacrypt, and other ransomware.
Straight out of the gate, Rokku deletes all of a machine’s shadow copies, thereby preventing the victim from recovering their files via the use of third-party file restoration services.
The ransomware then encrypts the victim’s data using RSA-512 – a strong but not impossible to break crypto algorithm – and adds the .ROKKU extension to each encrypted file.
At that point, the malware displays its ransom message, providing the victim with the option to select their language of choice.
Like most ransomware messages, Rokku’s note instructs the user to visit a Tor website in order to pay the ransom fee. That hidden website has two distinguishing factors.
First, it asks for only 0.24 BTC (US $100.14) -a mere fraction of what other crypto-ransomware samples demand.
Second, the site displays a QR code presumably in an effort to make paying the ransom as simple as possible, as Catalin Cimpanu explains in a Softpedia report:
“Scanning this QR code with your phone would allow you to easily pay the ransom money if you have a Bitcoin wallet app installed on the device. At the time of writing, no payments have been received in the Rokku Bitcoin account, but the ransomware was only spotted for the first time on March 19, so it may not have had time to spread to a large number of victims.”
Rokku was first seen by the VirusTotal service earlier in March. At the time of writing, no anti-virus solutions detect the ransomware executable as malicious.
To make matters worse, there is no way for users to recover their files–that is, unless they ware willing to attempt to break the RSA-512 algorithm.
With that in mind, users should be careful when clicking on suspicious links and email attachments from senders they do not know. It is also highly recommended that users back up their data just in case they are ever exposed to ransomware.