Researchers have tied the propagation of a new type of ransomware to a TeamViewer user.TeamViewer is a cross-platform service that enables remote computer access for tech support calls, meetings, and other purposes. It has been installed on more than a billion devices, which makes its potential attack surface quite extensive.On March 9th, someone posted to the Bleeping Computer forum a thread in which they describe how all of their pictures videos, and PDFs, among other files, have been encrypted and that the “.surprise” extension has been concatenated to every affected filename.According to the infected user, the “Surprise” ransomware downloaded three files onto their computers. One of the files is a ransom note that instructs the victim to email both “nowayout[at]protonmail[dot]com” and “nowayout[at]sigaint[dot]org,” at which point they will be told to pay a sum of between 0.5-25 BTC (approximately US$200-US$10,000) depending on “how important your files and network files is.”
Source: Bleeping ComputerBleeping Computer’s Lawrence Abrams has analyzed the ransomware and determined that it is based off of EDA2, one of two file-encrypting open-source projects (along with Hidden Tear) originally developed by a security researcher in an effort to educate users about malware.The researcher has since abandoned the project after bad actors co-opted his code and used it to develop at least 20 different types of ransomware, including Magic and one that uses the “.locked” extension.As of this writing, the command and control (C&C) servers for Surprise are down. This means that affected users have little to no hope of recovering their files unless the servers go back online.
Source: Bleeping ComputerBut that’s not the end of the story.Additional analysis provided by David Balaban of Privacy PC has revealed that all of the infected users who joined Bleeping Computer’s thread on Surprise had TeamViewer installed on their computers.“The analysis of TeamViewer traffic logs showed that someone had remotely executed surprise.exe process on computers, which resulted in malware injection behind the scenes,” Balaban explains in a post. “Furthermore, the researchers discovered that the user ID was identical across most of the unauthorized remote connection sessions, but not all. It’s therefore premature to state for a fact that one account (479440875) was used to infect systems. The scariest thing is that the strange traffic behavior had been taking place for months in some of the reported cases.”To get to the bottom of this ransomware campaign, Balaban recommends that TeamViewer attempt to identify the suspicious account by its user ID.