Nothing quite like this has been seen before
Nothing quite like this has been seen before

A new piece of ransomware has been discovered which forces its victims into political sedition. Palo Alto Networks' Unit 42 recently spotted the piece of ransomware, dubbed, RanRan, on systems in Saudi Arabia and the Philippines.

Palo Alto Networks released a report on 8 March, stating that it had seen the ransomware go to town on a relatively small number of middle eastern government organisations.

What is unique about this particular piece of ransomware is that it blackmails those affected into making publically incendiary political statements. The victim is enjoined to create a subdomain with a politically seditious name and then create a ransomware.txt file hosted on that subdomain. The victim now has to publically announce their “rebellion” against their country's leader.

Alex Hinchliffe, threat intelligence analyst at Unit 42, Palo Alto Networks told SC Media UK that “The intent clearly is political. That said, ransomware attackers frequently make additional demands before they give victims their data (if they ever do). There's no reason why these attackers couldn't do the same and respond to victims who accede to these initial demands with additional demands of a political or financial nature, or both.”

This might prove a dangerous ransom to pay in Saudi Arabia, where some have claimed the ransomware was found, and in the Philippines where Malwarehunter announced there had been an occurrence in January. This could run victims into trouble in both countries. Saudi Arabia has notoriously harsh censorship laws, where speech critical of the government or royal family can lead to prison time or physical punishment. Free speech has a number of criminal limitations in the Philippines, including “online libel”, which carries a potential 12 year jail sentence.

Morey J. Haber, vice president of technology, office of the CTO at BeyondTrust told SC that, in his opinion, RanRan “is truly a shift in attack vectors promoting hacktivism and leveraging the internet to promote websites against the establishment. Considering the strictness of local laws, the creation of an anti-government website intentionally with your email address linked could be considered treason regardless of the circumstances.”

The ransomware comes with a number of other notable features. It shuts down database processes and prevents them from starting up again before starting the encryption process. It uses eight tiers of different encryption keys depending on the size of the file.

The piece of ransomware appears to be relatively amateurish. Palo Alto researchers note that there are a number of basic errors in the writing of the ransomware, much of which was simply copied from Github. Palo Alto have released decryption tools for those infected with RanRan.