Oct 11, 2022 16:00:00

A ``fake adult site'' that completely destroys data with malware disguised as an erotic image is reported

A case was reported of a malicious site distributing malware disguised as adult content and requesting a ransom by claiming that data files in storage were encrypted.

Cyble — % Fake Ransomware Infection Under widespread

https://blog.cyble.com/2022/10/06/fake-ransomware-infection-under-widespread/

Fake adult sites push data wipers disguised as ransomware
https://www.bleepingcomputer.com/news/security/fake-adult-sites-push-data-wipers-disguised-as-ransomware/

On October 6, 2022, the security company Cyble launched a fake domain masquerading as an adult site, such as 'nude-girlss.miwire[.]org, sexyphotos.kozow[.]com, sexy-photo[.]online'. announced that it was discovered that ransomware had been distributed.

These sites urge users to download an executable disguised as a JPG image called 'SexyPhotos.JPG.exe'. By default, Windows does not display the .exe extension, so a user who thinks it's an image file called SexyPhotos.JPG may double-click the file to run it.

When this executable file is deployed, the fake ransomware renames the files stored on the PC to 'Locked_(number).Locked_fille'. Although the file is not encrypted, it is difficult for the victim to recover it by himself because he does not know what the original file name and extension were.

Subsequently, the fake ransomware declared that the file was encrypted and demanded to pay a ransom in Bitcoin equivalent to $ 300 (about 43,000 yen) within 3 days, and doubled the ransom after the deadline. It saves a text file on your PC that threatens to delete the file. However, as mentioned above, the files are not encrypted in the first place, so even if you pay the ransom, you will not be provided with a decryption tool, and there is little chance that you will be provided with a tool that can restore the renamed files.

In addition, the fake ransomware attempts to delete all data with an executable file 'del.exe', but it mistakenly specifies the file name 'dell.exe', so 'dell.exe cannot be found ” dialog is displayed.

Regarding this fake ransomware, the IT news site BleepingComputer said, ``This is a good example of how even if malware is buggy and poor, you can inadvertently lose data. is to restore the OS to a previous state, but depending on the timing of the restore, you will lose data.Generally, the shortest way to solve this problem is to reinstall the OS, so it is usually important It's best to back up your data regularly,' he said.