RansSIRIA ransomware is exploiting Syrian refugee crisis for profit

RansSIRIA ransomware developers exploit misfortune to profit

The situation in the Middle East as a war zone is not getting any better. More than 400,000 have died because of the Syrian conflict since 2011, according to the World Bank report.^[1] More than 5 million people are seeking refugee abroad. The whole world is following news about the latest attacks being held on the war-torn country and fear of WW3.^[2] Hackers seem to be following breaking news too inventing ways to maximize the profit by any means.

MalwareHunterTeam^[3] revealed ransomware that is far beyond the regular ones. Known as WannaPeace RansSIRIA or simply RansSIRIA, the ransomware encrypts personal files on a targeted PC and then asks to pay a ransom for file decryption. Criminals claim that the collected ransom will be donated to Syrian refugees.

People, if you fall victim to RansSIRIA ransomware, do not paying the ransom believing that you are going to help a child or another war-injured Syrian to escape the war. Criminals don't mind other's pain. All they seek is to take advantage of the Syrian refugee crisis.

Criminals render social engineering to manipulate people

RansSIRIA ransomware is not a typical one no means. It's quite shocking and involving. Its developers are using multiple social engineering strategies or psychological tricks^[4] to manipulate people into doing what they want.

The Fear-Then-Relief Procedure. The RansSIRIA virus encrypts files and demands to pay the ransom. That's a common practice employed by all crypto-ransomware developers that push people into panic and often triggering to give away their money.

Social Exchange. In this particular case, criminals try to make the owner of an attacked PC feeling guilty about what's going on in Syria. To get a psychological reward, he or she is asked to pay a redemption in exchange for file decryptor, which is supposedly be donated to Syrian refugees. The ransom note of the virus says:

Sorry, your files have been locked
Please introduce us as Anonymous, and Anonymous only.
We are an idea. An idea that can not be contained, pursued or imprisoned.
Thousands of human beings are now ruled, wounded, hungry and suffering …
All as victims of a war that is not even theirs !!!
But unfortunately, only words will not change the situation of these human beings …
We DO NOT want your files, or you harm them … we only want a small contribution …
Remember .. by contributing, you will not only be recovering your files …
… but helping to restore the dignity of these victims …

Contribute your contribution from only: Litecoins to wallet/address below.

Social Exchange strategy in RansSIRIA ransomware case is augmented by visual material, including photos and video. MalwareHunterTeam published the pictures that criminals use to depict the horror of the war. However, these are not that appealing as a YouTube video that it redirects to. That's a shortcut video showing the life of a small girl who is a resident of a war zone.

The virus hasn't yet gone wild

RansSIRIA ransomware belongs to the WannaPeace^[5] ransomware family. It is written in Portuguese language and oriented to Brazilian PC users. According to researchers, the ransomware has been launched in the middle of April 2018 and has not yet received payments.

It may be disguised in malicious spam email attachments, rogue software updates or injected via Exploit Kits. As soon RansSIRIA payload (RsSIRIA.exe) is being executed, the malware displays a rogue Microsoft Word window, which freezes the system while data stored on the system is being encrypted.

Subsequently, it displays a ransom note and opens the URL https://goo.gl/qNxDFP with an article about Syrian refugees. The victim is asked to pay nearly 80 Litecoins within one week.

Although this new ransomware is appealing and forcing to rethink the meaning of life, you'd better donate the money to the organization dedicated to Syrian refugees or children living in the war zone that give away them to criminals. Paying the ransom won't help for a single person, so make sure to remove the ransomware and use alternative methods to recover your data.