Cybercriminals have launched a new campaign that not only requires the victim to pay a ransom to have their data decrypted, but when the victim is directed to a PayPal account to pay the ransom to get the decryption key to unlock the data, the PayPal account page is fake and when the victim lands on the fake page, the criminals steal their account login credentials. On top of that, when the victim puts the credit card information in the fake account page to pay the ransom, the cybercriminals then steal the credit card information.
The fake PayPal site after http:// is ppyc-veOrf.890m.com/s2[.]php, which is clearly fake and should be identifiable as a fake web page, but apparently it has duped many victims.
The ransomware campaign was discovered by MalwareHunterTeam. It is unknown whether the victims get the decryption key after the one-two punch, but it seems unlikely with this evil scheme.