Cyber crooks spread Surprise ransomware via TeamViewer

A new ransomware family has been encrypting users’ files and appending the .surprise extension to them. The malware itself doesn’t differ much from other similar families, but the crooks wielding it apparently use an unusual propagation method: the popular (and legal) remote control tool TeamViewer.

First news of the so-called Surprise ransomware came up in a forum post on Bleeping Computer on March 9.

As more users became victims, they provided the malware executable and details about their own computer setup to researchers. In the discussion that followed, it came to light that all of them had TeamViewer v10.0.47484 software installed on their computers.

“Moreover, the analysis of TeamViewer traffic logs showed that someone had remotely executed surprise.exe process on computers, which resulted in malware injection behind the scenes,” noted PrivacyPC’s David Balaban.

“Furthermore, the researchers discovered that the user ID was identical across most of the unauthorized remote connection sessions, but not all. It’s therefore premature to state for a fact that one account (479440875) was used to infect systems. The scariest thing is that the strange traffic behavior had been taking place for months in some of the reported cases.”

TeamViewer traffic log of one of the victims

He posited that “there may have been an undetected breach that resulted in a massive theft of [TeamViewer] user credentials.”

But TeamViewer PR Manager Axel Schmidt denied that was the case.

“We looked thoroughly at the cases that were reported to us. According to our investigation, the underlying security issues cannot be attributed to TeamViewer. Thus far we have no evidence that would suggest any potential security breach of TeamViewer that attackers exploit. Furthermore, a man-in-the-middle attack can nearly be excluded because of TeamViewer’s deployed end-to-end encryption,” he wrote in a public statement regarding the matter.

“Additionally, we have no reason to believe that a brute-force attack is the origin of the reported infections. TeamViewer exponentially increases the latency between connection attempts. It thus takes as many as 17 hours for 24 attempts. The latency is only reset after successfully entering the correct password. TeamViewer not only has a mechanism in place to protect its customers from attacks from one specific computer but also from multiple computers, known as botnet attacks, that are trying to access one particular TeamViewer-ID. Apart from that, we would like to state, that none of the reports currently circulating hint at a structural deficit or a security glitch of TeamViewer.”

They believe that carelessness is what caused these incidents: the carelessness of users who use the the same password across multiple user accounts with various suppliers, and the carelessness of some suppliers who protect user data poorly or not at all.

“These suppliers are an easy target for hackers or data thieves who subsequently sell their loot via pertinent portals, or maybe just maliciously publish the user credentials online,” the company noted.

“As TeamViewer is a widely spread software, many online criminals attempt to log on with the data of compromised accounts (which they obtained through the aforementioned sources), in order to find out whether there is a corresponding TeamViewer account with the same credentials. If this is the case, chances are they can access all assigned devices, in order to install malware or ransomware.”

They advised users to use unique passwords for various user accounts and to protect their TeamViewer accounts with two factor authentication.

According to Bleeping Computer’s Lawrence Abrams, the Surprise ransomware appears to be a modified version of the EDA2, PoC open source ransomware devised by Turkish computer engineering student Utku Sen.

“The surprise.exe process loads the malicious program from Base64 encoded string into the targeted computer’s memory and launches it from there. When deploying the crypto job, the malware ignores a number of directories, including Windows, Program Files and folders whose depth exceeds 235 characters,” David Balaban explained.

“The Trojan uses a mix of RSA-2048 and AES-256 to encrypt files. The combination of public-key cryptography and symmetric cipher makes it impossible to derive decryption keys. The only viable recovery method is to access the criminals’ Command and Control server and try to obtain the keys stored on it, but the C2 appears to be down for the moment.”