- ARC: How to Prevent USB Attacks
- Rockwell Working on PowerMonitor 1000 Fix
- Horner Clears Cscape Vulnerability
- Delta Fixes it Industrial Automation CNCSoft
- Intel Has Fix for Data Center Manager SDK Holes
- Thermal Fatigue Led to MS Gas Plant Blast …
- … 3D Model of Failed Heat Exchanger
- Fukushima Report: Robot Lifts Melted Fuel
Chemical Safety Incidents
New Ransomware ‘Quarantines’ Files
Wednesday, April 8, 2015 @ 12:04 PM gHale
A new piece of crypto-ransomware called CryptVault encrypts files, makes them look like files quarantined by an AV solution, asks for ransom and, finally, downloads info-stealer malware, researchers said.
The ransomware arrives on targeted computers after the user ended up tricked into downloading and running a malicious attachment – a Javascript file – that downloads four files: The ransomware itself, SDelete (a MS Sysinternals tool that can delete files), GnuPG (legitimate open source encryption tool), and a GnuPG library file, said researchers at Trend Micro.
RELATED STORIES
Ransomware Teams with Spyware
Free Code Used for Ransomware
Cryptowall: New Version of Ransomware
IL Police Meet Ransomware Demands
The ransomware uses GnuPG to create an RSA-1024 public and private key pair used to encrypt and decrypt the files. It targets popular file types, mostly document, image, and database files.
“After encryption, the malware will change all associated *.vault file extensions to padlock icons. Each ‘locked’ and encrypted file will display a ransom note when opened,” Threat Response Engineer Michael Marcos said in a blog post.
A bigger and more detailed ransom note ends up displayed on the infected system’s desktop. Because the ransom note and the ransomware support portal are in Russian, this campaign focuses on Russian-speaking users.
“The malware deletes key files, secring.gpg, vaultkey.vlt and confclean.lst, by using sDelete, a Microsoft Sysinternals tool. sDelete is capable of overwriting a deleted file’s disk data that makes it difficult or nearly impossible to recover deleted files,” Marcos said.
“Though this isn’t the first time we’re seeing SDelete being used in crypto-ransomware attacks, it appears that this is a first for malware to use 16 overwrite passes to make sure that recovery tools will have a hard time trying reconstructing the deleted file.”
In the end, the ransomware also downloads and executes Browser Password Dump, a hacking tool capable of extracting passwords stored by a number of popular web browsers, which then go to the C&C server controlled by the attackers.
Leave a Reply
You must be logged in to post a comment.