The remote access tool from TeamViewer GmbH may be great for working together across computers, providing computer access for professionals and tech support that allows them to assist users or work together on a single desktop remotely.  However, it may be not so great for keeping users’ files safe. Allowing remote access is convenient for technical assistance, meetings, and so on, although it leaves devices and other important files vulnerable to malicious attacks, such as a new ransomware that has been infecting users.

A recent attack has infected several TeamViewer users with a “Surprise” ransomware, which locks and encrypts all the victim’s files with a “.surprise” extension, save for three new files with instructions on how to regain access to them.

Of course, that comes at a hefty fee.

The instructions demand payment in bitcoin, ranging from .5 to 25 BTC, or approximately anywhere from $200 to $10,000, depending on the importance of the file. That’s the price per file, mind you, so anyone with multiple, important files stolen will see a large price tag for recovering their data.

To make things worse for the victims, the command and control servers for Surprise are currently down, so unless they go back online soon, the victims may not be able to get their files back no matter how much they’re willing to pay.

According to Tripwire, the ransomware is based off EDA2, an open source file-encrypting project that was made to teach users about malware, which was (to the creator’s lament) co-opted and used to create ransomware. Further research into the infection determined that the “surprise.exe” process was remotely executed over TeamViewer. The user ID of the person responsible was identical across nearly all of the unauthorized remote connection sessions.

Remote access is a useful tool for business collaboration as well as technical support, so there are multitudes of users around the world who benefit from TeamViewer. Unfortunately, that also makes it a tantalizing target for cybercriminals, and this is the result. TeamViewer has been contacted and recommended to identify the suspicious account through its user ID, so hopefully the victims can recover their files and data soon.

UPDATE (3/22): A statement from TeamViewer has clarified that the problem was not the result of a hack or malware infection in the TeamViewer business tool. Axel Schmidt, PR Manager at TeamViewer, explains “None of the reported cases is based on a TeamViewer securit breach… careless use is at the bottom of the cases we currently looked at. This particularly includes the use of the same password across multiple user accounts with various suppliers.”

Schmidt also included a list of countermeasures TeamViewer users can take to avoid being infected by ransomware or other malware from cybercriminals that may try to target users.

TeamViewer denounces any criminal ploys, and encourages users to protect themselves by adequate counter measures:

·         This starts with the download: TeamViewer advises users to only use official TeamViewer channels for the download.

·         Additionally, users ought to protect any user account – whether it is with TeamViewer or any another supplier –  by unique and secure passwords.

·         Moreover, TeamViewer encourages users to protect their TeamViewer accounts by two factor authentication. See: http://www.teamviewer.com/en/help/402-How-do-I-activate-deactivate-two-factor-authentication-for-my-TeamViewer-account.aspx

·         Finally, users should make sure that their device has not already been infected by viruses, spyware or any other type of malware that hackers may use to access secret or sensitive data.

photo credit: Voxphoto via photopin cc