“Surprise” Ransomware Uses TeamViewer to Infect Victims

Share this…

Another ransomware built on the EDA2 project. A new ransomware family was discovered in the past weeks, one that infects users’ computers via poorly secured TeamViewer installations and then encrypts all the their data, adding the “.surprise” extension to all files. The first signs of this new ransomware infection were spotted on the Bleeping Computer forums, a common place these days where ransomware victims converge asking for help.

At first, users were surprised to find their files locked and inaccessible, with three new files added to their desktops. These were the ransom notes, and they informed the user that their files were now encrypted, and to get them back, victims should contact the ransomware author via two email addresses at nowayout@protonmail.com and nowayout@sigaint.org.

The crook was asking for 0.5 Bitcoin (~$200) but said that, depending on the content of the user’s encrypted files, the ransom could very easily go up to 25 Bitcoin (~$10,000) if needed.

Surprise ransomware is nothing to be surprised at

Technically, the ransomware wasn’t anything special from the other crypto-ransomware families that have recently hit the Internet. The so-called Surprise ransomware used an AES-256 algorithm to encrypt files, and then RSA-2048 to secure each file’s encryption keys with a master key that was uploaded to the C&C server.

The ransomware targeted 474 different file extensions and used batch files to remove hard-drive shadow copies, making the auto-recovery process impossible, unless the user stored the same files on an external backup drive.

Lawrence Abrams, Bleeping Computer’s admin, also noticed that the ransomware was another clone of the EDA2 open-source ransomware. EDA2 started out as an educational project, but after it was uploaded to GitHub, many crooks abused it, despite the presence of a backdoor in the admin panel.

Utku Sen, EDA2’s author, used the backdoor when he could, helping ransomware victims get their files back for free, but this time around, Surprise’s C&C servers went offline after a few weeks, so the backdoor proved to be useless. The reason may be that the ransomware’s creator didn’t receive enough payments to make it worth keeping the servers online.

This means that current versions of the ransomware won’t be able to save their RSA key to the C&C servers, but that victims who want to pay the ransomware won’t be able to recover their files either.

TeamViewer installations abused to deliver the ransomware

But this wasn’t the most intriguing detail about what looked to be another ordinary ransomware variant. As more users were infected, a pattern appeared.

It seemed that all infections occurred on PCs that had TeamViewer installed. TeamVieweris a Windows application that can be used to establish a connection between two computers and allow a person to control the other’s PC.

Commonly used in tech support centers, TeamViewer is a well-known app that has quite a big following among tech-savvy users.

As Surprise ransomware victims noticed that they all had TeamViewer installed, they went on to search TeamViewer’s logs, and all discovered that someone accessed their computer via TeamViewer, downloaded the suprise.exe file (ransomware’s payload), and then launched it into execution, encrypting their files.

Nobody knows how the crook broke into their TeamViewer installation

Currently, there are no specifics on how these TeamViewer installations were accessed, but there are two possible explanations. One of them is the presence of a zero-day bug in TeamViewer that the crook used to open connections by force and push his ransomware.

This scenario is a little far-fetched, mainly because zero-day bugs require a lot of skill and technical knowledge to discover. Somebody who was foolish enough to use a backdoored ransomware family certainly doesn’t have the skills to discover zero-days.

The second explanation is that the attacker scanned the Internet for accessible TeamViewer installations and then used brute-force attacks to get in, using commonly used password strings.

Softpedia has contacted the TeamViewer team for more details and their opinion on how the attacker could have used their app to infect users.


Traces of the surprise.exe file in TeamViewer logs