Did that Ransomware Spread Through TeamViewer?

Hi everybody,

A TeamViewer user is allegedly propagating ransomware.

TeamViewer is a cross-platform service that enables remote computer access for tech support calls, meetings, and other purposes and has been installed in over billion devices.

On a forum called Bleeping Computer, a thread described the encrypted pictures videos, and PDFs, the infected victims received with the “.surprise” extension concatenated to every affected filename.

An infected user has mentioned that the “Surprise” ransomware downloaded three files onto their computers. One of the files is a ransom note that instructs the victim to email both:

“nowayout[at]protonmail[dot]com” and “nowayout[at]sigaint[dot]org,”.
The ransom note asks them to pay a sum of between 0.5-25 BTC (approximately US$200-US$10,000) depending on “how important your files and network files is.”

The ransomware was analysed by Lawrence Abrams from the Bleeping Computer forum and found that  it was based off of EDA2, one of two file-encrypting open-source projects (along with Hidden Tear). A security researcher originally developed this project to educate people about malware but later abandoned the project after hackers stated using his code for ransomware.

The command and control (C&C) servers for Surprise have been down when this was reported meaning the victims had no way of decrypting their files.

David Balaban of Privacy PC has noted that infected users who joined Bleeping Computer’s thread on Surprise ransomware were TeamViewer users.

Balaban explained in a post that “The analysis of TeamViewer traffic logs showed that someone had remotely executed surprise.exe process on computers, which resulted in malware injection behind the scenes…Furthermore, the researchers discovered that the user ID was identical across most of the unauthorized remote connection sessions, but not all. It’s therefore premature to state for a fact that one account (479440875) was used to infect systems. The scariest thing is that the strange traffic behavior had been taking place for months in some of the reported cases.”

Axel Schmidt, Public Relations Manager at TeamViewer, has contacted The State of Security to clarify this incident:

In an email Schmidt mentioned “We looked thoroughly at the cases that were reported to us. And according to our investigation, the underlying security issues cannot be attributed to TeamViewer… So thus far we have no evidence that would suggest any potential security breach of TeamViewer that attackers exploit. Furthermore, a man-in-the-middle attack can nearly be excluded because of TeamViewer’s deployed end-to-end encryption.  Apart from that, we would like to state, that none of the reports currently circulating hint at a structural deficit or a security glitch of TeamViewer.”

He recommends that all TeamViewer users download the software only through official company channels; protect all of their web accounts with strong, unique passwords; protect their TeamViewer accounts specifically with two-factor authentication; and determine that their device/computer has not already been infected by malicious software.

Source: Akati

Comments are closed.