RansSIRIA, a new variant of the WannaPeace ransomware, has been discovered that encrypts victim's files and claims to donate the proceeds to Syrian refugees. Discovered by MalwareHunterTeam, the ransomware seems to be targeting Brazilian victims with the ransom note written in Portuguese.
Once executed, the ransomware displays a fake Microsoft Word window that loads slowly as the malicious code encrypts the victim's files. Once the encryption process is complete, the ransom note (embedded below) is displayed which features an impassioned request to pay up the ransom in Litecoins that will go towards helping Syrian refugees.
"We DO NOT want your files or you harm them... we only want a small contribution," the translated ransom note reads. "Remember... by contributing you will not only be recovering your files... but helping to restore the dignity of these victims."
The ransomware demands victims pay up around 80 Litecoins within a week.
This particular strain of ransomware seems to rely on powerful social engineering techniques to coax people into paying the ransom and "donating" towards their cause. Once the ransom is paid and the decryption process is complete, the ransomware opens up a shortened URL link that leads to a Worldvision article about the Syrian crisis and shows a powerful YouTube video focusing on the effect of war on a child.
Image Credit: MalwareHunter Team
The English translation looks as shown.
However, the ransomware developers are certainly not donating the ransom payments they receive to help Syrian refugees and are likely just making money off of powerful human emotions.
Victims are strongly discouraged from paying the ransom and instead opt for other data recovery methods.