New crypto-ransomware encrypts files then disguises them as quarantined

Researchers have found a new ransomware which shows your files are quarantined, actually the are not.

Trend Micro has recently reported that a new ransomware variant targeting Russian speakers, was detected by their threat response engineer, Michael Marcos. BAT_CYRPVAULT.A or CRYPVAULT was evidenced to have been distributed as an attachment to spam emails.

This particular ransomware encrypts files then disguises them as quarantined. Marcos commented that this may be their guise to initiate a sense of urgency for the users to take action on the quarantined files, especially that the files are appended by a .vault extension. In addition, he said it may also be to a symbol for the malware to know that the file has already been encrypted.

GNU Privacy Guard (GnuPG), an open-source encryption tool creates an RSA-1023 both public and private key pair when the CRYPVAULT is executed. GnuPG then encrypts the files with countless extensions like .pdf, .doc, .jpg, .rtf and .zip and thereafter appends the .vault file extension.

Source: Trend Micro
Infection chain Image Source: Trend Micro

The Microsoft tool SDelete is used by the malware so that victims have no choice but to pay the ransom before unlocking their files. In the encryption process, this tool then deletes key files such as “vaultket.vlt”, “confclean.lst” and “secring.gpg”. A prompt listing down the steps on how to pay the ransom quickly appears as soon as the user attempts to open the encrypted file. Shortly after, the malware downloads a text file which includes instructions, ransom note and attached file name. This ransomware uses 16 overwrite passes basically guaranteeing the decryption key to be irrecoverable. Furthermore, it was noted that the very support portal of the malware is in Russian.

Aside from the above, CRYPVAULT also manages to extract stored login passwords for Internet Explorer, Firefox, Safari, Opera and Chrome, through downloading and opening the Browser Password Dump hacking tool.

What is more distinct about this malware is that the ransomware was written in batch scripts while the downloader, in JavaScript. According to Marcos, opting not to use C++, C# or any programming language means CRYPVAULT does not need to import any library nor create function as the scripts are executed one line after another. Accordingly, this effectively shows how easy a ransomware can be created by anyone.

With the threats of CRYPVAULT laid down, Marcos still recommends to rebuild a recent backup instead of paying the ransom. He adds that paying the ransom does not in any way guarantee that the victim will recover the correct keys.

VaultCrypt which was mentioned to be making its way to the English-speaking regions, was officially named by after their investigation and deliberation last month.

 | Featured Image Via: PowerUser.

Related Posts