• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • December 12th, 2019
  • Home
  • About Us
  • Team
  • Advertise
  • Submit News
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Google+
    • Linkedin
    • Youtube
Home » Security » Malware » New crypto-ransomware encrypts files then disguises them as quarantined

New crypto-ransomware encrypts files then disguises them as quarantined

April 8th, 2015 Waqas Cyber Crime, Malware, Scams and Fraud 0 comments
New crypto-ransomware encrypts files then disguises them as quarantined
Share on FacebookShare on Twitter

Researchers have found a new ransomware which shows your files are quarantined, actually the are not.

Trend Micro has recently reported that a new ransomware variant targeting Russian speakers, was detected by their threat response engineer, Michael Marcos. BAT_CYRPVAULT.A or CRYPVAULT was evidenced to have been distributed as an attachment to spam emails.

This particular ransomware encrypts files then disguises them as quarantined. Marcos commented that this may be their guise to initiate a sense of urgency for the users to take action on the quarantined files, especially that the files are appended by a .vault extension. In addition, he said it may also be to a symbol for the malware to know that the file has already been encrypted.

  • Read More: Famous Games Hijacked for Ransom Through TeslaCrypt Ransomware

GNU Privacy Guard (GnuPG), an open-source encryption tool creates an RSA-1023 both public and private key pair when the CRYPVAULT is executed. GnuPG then encrypts the files with countless extensions like .pdf, .doc, .jpg, .rtf and .zip and thereafter appends the .vault file extension.

Source: Trend Micro

Infection chain Image Source: Trend Micro

The Microsoft tool SDelete is used by the malware so that victims have no choice but to pay the ransom before unlocking their files. In the encryption process, this tool then deletes key files such as “vaultket.vlt”, “confclean.lst” and “secring.gpg”. A prompt listing down the steps on how to pay the ransom quickly appears as soon as the user attempts to open the encrypted file. Shortly after, the malware downloads a text file which includes instructions, ransom note and attached file name. This ransomware uses 16 overwrite passes basically guaranteeing the decryption key to be irrecoverable. Furthermore, it was noted that the very support portal of the malware is in Russian.

  • Read More: Ransomware: Cyber-hijacking Malware now has a new deadly face

Aside from the above, CRYPVAULT also manages to extract stored login passwords for Internet Explorer, Firefox, Safari, Opera and Chrome, through downloading and opening the Browser Password Dump hacking tool.

What is more distinct about this malware is that the ransomware was written in batch scripts while the downloader, in JavaScript. According to Marcos, opting not to use C++, C# or any programming language means CRYPVAULT does not need to import any library nor create function as the scripts are executed one line after another. Accordingly, this effectively shows how easy a ransomware can be created by anyone.

With the threats of CRYPVAULT laid down, Marcos still recommends to rebuild a recent backup instead of paying the ransom. He adds that paying the ransom does not in any way guarantee that the victim will recover the correct keys.

  • Read More: US Police Dept Pays Crypto-Malware Ransom to retrieve sensitive records

VaultCrypt which was mentioned to be making its way to the English-speaking regions, was officially named by BleepingComputer.com after their investigation and deliberation last month.

Follow @HackRead | Featured Image Via: PowerUser.

  • Tags
  • Crypto-Ransomware
  • Cyber Crime
  • hacking
  • Malware
  • Privacy
  • Ransomware
  • security
Facebook Twitter Google+ LinkedIn Pinterest
Previous article Snowden Shows John Oliver How The NSA Collects Your Dick Pics
Next article Russians Hacked White House Computer: Report
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism.

Related Posts
How to identify malware on your phone with these 7 signs

How to identify malware on your phone with these 7 signs

20 years prison for Romanian hackers who infected 400,000 computers

20 years prison for Romanian hackers who infected 400,000 computers

FBI uses PlayStation to bust large scale drug deal

FBI uses PlayStation to bust large scale drug deal

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

LATEST POSTS
How to identify malware on your phone with these 7 signs
How To

How to identify malware on your phone with these 7 signs

127
"The Smartest Lock Ever” KeyWe is Vulnerable to Hacking
Security

"The Smartest Lock Ever” KeyWe is Vulnerable to Hacking

98
Plundervolt: A new attack on Intel processors threatening SGX data
Security

Plundervolt: A new attack on Intel processors threatening SGX data

337
2.7 billion email addresses & plain-text passwords exposed online
Leaks

2.7 billion email addresses & plain-text passwords exposed online

2765

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us