New Ransomware ‘Quarantines’ Files

A new piece of crypto-ransomware called CryptVault encrypts files, makes them look like files quarantined by an AV solution, asks for ransom and, finally, downloads info-stealer malware, researchers said.

The ransomware arrives on targeted computers after the user ended up tricked into downloading and running a malicious attachment – a Javascript file – that downloads four files: The ransomware itself, SDelete (a MS Sysinternals tool that can delete files), GnuPG (legitimate open source encryption tool), and a GnuPG library file, said researchers at Trend Micro.

RELATED STORIES
Ransomware Teams with Spyware
Free Code Used for Ransomware
Cryptowall: New Version of Ransomware
IL Police Meet Ransomware Demands

The ransomware uses GnuPG to create an RSA-1024 public and private key pair used to encrypt and decrypt the files. It targets popular file types, mostly document, image, and database files.

“After encryption, the malware will change all associated *.vault file extensions to padlock icons. Each ‘locked’ and encrypted file will display a ransom note when opened,” Threat Response Engineer Michael Marcos said in a blog post.

A bigger and more detailed ransom note ends up displayed on the infected system’s desktop. Because the ransom note and the ransomware support portal are in Russian, this campaign focuses on Russian-speaking users.

“The malware deletes key files, secring.gpg, vaultkey.vlt and confclean.lst, by using sDelete, a Microsoft Sysinternals tool. sDelete is capable of overwriting a deleted file’s disk data that makes it difficult or nearly impossible to recover deleted files,” Marcos said.

“Though this isn’t the first time we’re seeing SDelete being used in crypto-ransomware attacks, it appears that this is a first for malware to use 16 overwrite passes to make sure that recovery tools will have a hard time trying reconstructing the deleted file.”

In the end, the ransomware also downloads and executes Browser Password Dump, a hacking tool capable of extracting passwords stored by a number of popular web browsers, which then go to the C&C server controlled by the attackers.