Cam zap chat raw com

Recently a member posted in the forums about a new ransomware that was appending the .surprise extension to encrypted files.

All of the victim's had Team Viewer installed and logs showed that someone connected to their machine using Team Viewer and uploaded the files to their desktop.As more logs were posted, it could be seen that there were two Team Viewer IDs that were used by the attackers to upload the ransomware to the computer and execute it. Once it was discovered that Team Viewer was involved, I immediately reached out to Team Viewer support to try and get someone who was part of their security team to either call me or email me so we could discuss this attack.Talking to one of the security team members, I was told that the associated IDs have already been disabled so that they could no longer be used on Team Viewer.I was also told, that it appears that the connections made by the ransomware developer were using the credentials of the victim.Team Viewer felt that some of these accounts may have been included in account dumps, where their credentials were retrieved by the ransomware devs.

On checking various databases, I did find that more than half of the victims were listed on the https://haveibeenpwned.com/ site.At this point, the Surprise ransomware appeared to have gone dark, so we are unable to investigate this further.Another interesting characteristic that we saw in the Surprise Ransomware is that the executable itself does not contain any of the encryption functions or other behavior associated with ransomware programs.Instead it contained another executable that transformed into an encrypted BASE64 encoded string.At runtime this string is decrypted, loaded into memory, and then executed directly from there.This method is being used to not only try to bypass AV signature definitions, but also behavior detection.