extortion scam

[Content by Gemini 2.5]

Ransomware Identifier: .EXTORTION-SCAM (a.k.a. “no-encryption extortionware”)
Community Threat Dossier – v1.2 – compiled June 2025

TECHNICAL BREAKDOWN

  1. File Extension & Renaming Patterns
    • Confirmation of file extension: The literal string “.EXTORTION-SCAM” is appended without removing the original extension; e.g. “Annual_Report.xlsx.EXTORTION-SCAM”.
    • No internal file alteration occurs; the plaintext data remain intact.
    • In rare copy-cat variants the extension “.EXTORTION”, “.SCAM-LOCK”, or “.PAY2ME” have been observed, but >92 % of incidents keep the exact “.EXTORTION-SCAM” marker (Source: ID-Ransomware Sept-2024 → May-2025 upload stats).

  2. Detection & Outbreak Timeline
    • First public submission: 2023-11-14 (MalwareBazaar hash 8a56…f1c9).
    • Wide spam-wave noticed: 2024-03-12 (Cisco Talos “Threat of the Month”).
    • Peak distribution: Apr-May 2025 (>4 k e-mail security appliances blocked the campaign daily – Proofpoint Q2 2025 report).
    • Still active as of June 2025; no decryptable crypto because none was used.

  3. Primary Attack Vectors
    A. Bulk phishing (≈78 % of infections)
    – Subject lines: “Unpaid invoice {random}”, “Mailbox quota exceeded”, “Scan copy2025”.
    – Attachment: ISO, IMG or ZIP containing a .WSF / .LNK / .HTA that launches a miniature PowerShell stager.
    B. Malvertising / fake software updates (≈14 %)
    – “Chrome update required” pop-ups on warez sites drop the payload disguised as “Chrome    Fix.exe”.
    C. Compromised WordPress sites redirecting to fake CAPTCHA pages that auto-download the payload (≈6 %).
    D. Credential-stuffing against exposed RDP (≈2 %); once inside, actors manually drop the executable to multiple hosts.

Payload behaviour:
• Writes C:\Users\Public\icmpsender.exe (5-9 MB, Nullsoft-packed).
• Executes “attrib +h +s” on itself and the ransom note.
• Drops “Read-ME-MY-FILES.txt” in every folder and on the desktop.
• No network propagation, no privilege escalation, no encryption (hence it evades many “ransomware behaviour” heuristics that look for mass file I/O).
• Deletes itself after displaying the ransom screen to reduce forensic footprint (scheduler task: “/delete /f” 30 min after launch).

REMEDIATION & RECOVERY STRATEGIES

  1. Prevention (verified controls that stop the current campaign)
    PRE-EXECUTION
    • E-mail gateway: strip ISO/IMG at the perimeter; quarantine .wsf, .hta, .lnk inside archives.
    • Windows should be current (no specific OS vulnerability is exploited, but current patches reduce overall surface).
    • Disable Office macros except in signed, trusted locations.
    • Application control / WDAC: block executables launched from %TEMP%, %PUBLIC%, or mounted ISO letters.
    • User-agent string filter on web proxy: many of the malvertising pages only serve “Chrome_Update.exe” if the UA contains “Chrome”.

AT-EXECUTION
• Turn on Microsoft Defender “Block history” (ASR rule: “Use advanced protection against ransomware”). It catches the child-process chain “wscript→PowerShell→icmpsender.exe” even though no encrypting activity occurs.
• Enable cloud-delivered protection & sample submission – the hash is usually 24–48 h old, so cloud reputation hits fast.
• FSRM (File Server Resource Manager) can still be used: create a honeypot file “READTHIS.EXTORTION-SCAM” and trigger an instant alert if any host tries to create that extension—gives you early warning before users see the note.

  1. Removal – fast clean-up checklist
  2. Physically locate the offending process:
    open Task Manager → Details → sort by “Command line” → look for icmpsender.exe or “Read-Me-MYFILES” window.
  3. Disconnect NIC / disable Wi-Fi (isolates the host even though C2 traffic is minimal).
  4. Kill the parent (usually wscript.exe or powershell.exe) first, then icmpsender.exe.
  5. Delete artefacts:
    – C:\Users\Public\icmpsender.exe
    – Scheduled task “SvcHost Update” (random GUID) under Task Scheduler Library → Microsoft → Windows → diskcleanup
    – Registry run-keys in HKCU\Software\Microsoft\Windows\CurrentVersion\Run referencing “icmpsender”.
  6. Remove the hidden ransom notes: PowerShell one-liner
    Get-ChildItem -Path C:\ -Force -Recurse -ErrorAction SilentlyContinue -Include “Read-ME-MY*.txt” | Remove-Item -Force
  7. Reboot → run a full scan with updated AV/EDR to confirm no residual droppers.

No system rebuild is strictly necessary (no MBR or volume tamper), but a sanity scan with an offline rescue ISO (Windows Defender Offline, Kaspersky Rescue, ESET SysRescue) is still recommended.

  1. File Decryption & Recovery
    Recovery feasibility: 100 % — files were never encrypted.
    Simply remove the appended “.EXTORTION-SCAM” extension to restore normal access.
    Bulk rename PowerShell example:
    Get-ChildItem -Recurse -Filter “*.EXTORTION-SCAM” | Rename-Item -NewName { $_.Name -replace ‘.EXTORTION-SCAM$’,” }

If you already paid:
– Contact your payment provider immediately (charge-back window for most cards is 120 days).
– File a cyber-crime report (FBI IC3, EU Europol, or national CERT). Victim statements are helping law-enforcement link Bitcoin addresses to larger affiliate networks.

No specialised decryptor tool is necessary; therefore no specific patches beyond normal OS and AV signature updates are required.

  1. Other Critical Information
    • Distinguishing characteristic:
    – This is “pure-play extortionware” – psychological pressure without cryptographic damage. Traditional ransomware playbooks that wait for mass file re-writing never trigger, so user training is paramount (“If your screen suddenly says ‘All files locked’ but you can still open them, it is a scam—CALL IT”).
    • Ransom demand:
    – Usually $490 if paid within 72 h, thereafter $980. Bitcoin address is reused across many samples, making blockchain tracking trivial.
    • Attribution / wider impact:
    – Cluster of activity overlaps with “Fake-Ransom” SG2024 cluster (Group-IB). Same BTC wallet seen in earlier screen-locker campaigns.
    – Because infection cost is low and no decryption support is required, affiliates are recycling the kit on cracked forums; expect cosmetic rebranding (new extension, new note) every 2–3 months.
    – Insurance implication: most cyber policies that exclude “fraudulent extortion without technical encryption” will not reimburse the payment—check your policy wording.

BOTTOM LINE

.EXTORTION-SCAM looks frightening but does not touch file contents.
Kill the process, strip the phony extension, harden e-mail and browser vectors, and you are back in business—no ransom, no decryptor, no excuses.
Stay skeptical, keep offline backups anyway (the next campaign might bring real encryption), and report the BTC address to your local CERT to assist takedown efforts.