A fresh ransomware threat, dubbed “Surprise”, has been discovered lurking in the popular TeamViewer support app this week.
The behavior of the ransomware is similar to Backoff, perhaps the notorious malware.
According to researchers, the Surprise ransomware developer was able to co-opt the credentials of a TeamViewer user, and then used those credentials to gain access to other TeamViewer users and download the malware file via TeamViewer. The malware appends a “.surprise” suffix to encrypted files.
The attack vector is similar to the instances of remote access and control apps, including LogMeIn and JoinMe, being used by hackers to gain access to corporate networks to install the infamous Backoff malware, which steals point-of-sale data. This method is especially useful in retail, restaurants, and other industries with highly distributed systems where branch networks depend heavily on centralized IT support models.
TeamViewer Surprise ransomware looks an awful lot like the Backoff distribution model, except instead of stealing PoS data, the ransomware developers are holding corporate data for ransom.
The fan-out is what happens when malware travels via sync and share in cloud apps…where a ransomware victim would have his files encrypted, then those encrypted files synced to the cloud, then other users who were also synced to those same cloud folders had their files encrypted
Because of the necessity of remote support apps in distributed businesses to manage branch support, this threat is especially internal, and businesses should take appropriate steps, as recommended by TeamViewer.