Ransomware is known to encrypt all the files on your device, however this variant also attempts to steal your PayPal credentials!
Ransomware is a form of Malware. Once installed, it will lock down the device it is installed on, encrypting all of the data and files contained on the hard drives. This prevents the user from actively using their device.
Ransomware will request that you pay a ransom in order for the malicious user to ‘decrypt’ your files, and allow you to use the device freely again. The malicious users demand that the payment is sent via cryptocurrency as it makes it difficult for law enforcement to trace.
In this scenario, the Ransomware is nothing new – however the crafty element is included within the ransom note. What differentiates this ransomware from others, is that it provides users the option to pay through PayPal which is what leads to the phishing aspect of this ransomware.
If the victim decides to pay through PayPal, the ransom note provides a link to a phishing PayPal page. Which will steal credentials that are entered into the form.
After the user enters their credentials into the fake PayPal form, it then directs the user to a well-crafted PayPal home page.
When users submit their information it is sent to hxxp://ppyc-ve0rf[.]890m.com/s2[.]php, instead of PayPal.com, directing users to another form asking for your address and other personal information such as credit card information.
Ransomware developers and malicious users are adopting sophisticated methods to attempt to steal money from their victims. It is important to always analyse any web pages that you visit, and before you enter your login credentials.
If you are ever unsure about a link/website that you are visiting, leave it immediately and use Google to search the site you wish to visit.