New Variant of WannaPeace Emerges: RansSiria Ransomware

The well-documented Syrian crisis started escalating in early 2011. The civil war has been ongoing for more than 7 years now, and the world has been closely observing the human rights crisis that has arisen due to it. Although many different strategies have been employed to alleviate the situation, it is estimated that around 400,000 Syrians have died, and over 5 million of refugees have fled the country during the war. Although people and governments all around the world are making donations and sending resources to help, not everyone is as benevolent. According to MalwareHunterTeam, a malicious ransomware that goes by the name RansSiria Ransomware was recently created by cyber criminals to monetize on the nightmare that is experienced by millions of people every day. This infection is a new variant of another monstrous, well-known threat, WannaPeace Ransomware, that was terrorizing Windows users late last year.


The devious WannaPeace Ransomware was primarily targeted at users who spoke Portuguese because the ransom note represented by it was in Portuguese. This is how RansSiria Ransomware is represented as well. According to the message, the creator of the infection wants a small donation in return for decrypting the corrupted files files. The donation, allegedly, would be sent to the people in Syria. Here is an excerpt:

Milhares de seres humanos estão nesse momento rufigiados, feridos, com fome e sofrendo...
Todos como vítimas de uma guerra que não é nem mesmo deles!!!
Mas infelizmente apenas palavras não mudarão a situação desses seres humanos...
NÃO queremos os seus arquivos ou lhe prejudicar..., queremos apenas uma pequena contribuição...

Although the creator of WannaPeace Ransomware were introducing the victims to the ransom in Bitcoins, the devious RansSiria Ransomware requests a ransom in Litecoins, and the ransom must be paid to the LWdHCDKKcUYmTKP4aKusHr9htRUQ7Ubz1S address. Our team could not confirm if it was a real address at the time of research. Both infections use the same message to push victims into paying the ransom, but doing that is very risky. Even if the ransom is not big, it is highly unlikely that the money would be used to aid refugees and the victims of war in Syria. Most likely, all of the money would go straight into the pocket of the creator. Unfortunately, they use several other tactics to push the victim into paying the ransom. For example, RansSiria Ransomware can display war-related images on the screen to remind the victim of the terrors that Syrians are going through. Also, a video and an article representing the true face of the war are introduced to the victims as well. This is likely to Push Windows users in Brazil, Portugal, and other countries to at least consider paying the ransom. Unfortunately, it is unlikely that cyber criminals would decrypt files even if the ransom payment was made.

The distribution of ransomware always relies on system vulnerabilities, security backdoors, and the carelessness of the targeted victim. If the system is not protected, RansSiria Ransomware can successfully slither into it using spam emails, RDP vulnerabilities, software bundles, and other security backdoors. The final obstacle is the user. If they are not careless, they themselves can let the infection in. For example, the ransomware would never be able to infiltrate using a spam email if the system was protected and if the user was smart enough not to open the email and then interact with the file appended to it. Ultimately, if the user is mindful and vigilant, they should be able to keep infections like RansSiria Ransomware away.

In conclusion, RansSiria Ransomware is a tremendously knavish infection that was created by cyber crooks to make a buck. Unfortunately, they are exploiting the Syrian human rights crisis in the process, and they are using images, videos, and facts representing the Syrian war to push the victims of the ransomware to pay up. Although it is suggested that files would be decrypted, and the ransom money would be used as a donation, trusting cyber criminals is never a good idea. On the other hand, there are plenty of legitimate and trustworthy organizations that are on the ground, and they could use any and every donation. When it comes to personal files, if they were encrypted, it is unlikely that they would be decrypted even if the ransom was paid. To protect personal files in the future, backing them up on external drives or online storage clouds is recommended.


Al Jazeera. April 23, 2018. Syria death toll: UN envoy estimates 400,000 killed. Al Jazeera.
OCHA. KEY FIGURES. United Nations Office for the Coordination of Humanitarian Affairs.
MalwareHunterTeam. April 21, 2018. RansSIRIA ransomware. Twitter.