New crypto-ransomware “quarantines” files, downloads info-stealer
Trend Micro researchers have found and analyzed a new piece of crypto-ransomware: CryptVault encrypts files, makes them look like files quarantined by an AV solution, asks for ransom and, finally, downloads info-stealer malware.
It arrives on target computers after the user has been tricked into downloading and running a malicious attachment – a Javascript file – that downloads four files: the ransomware itself, SDelete (a MS Sysinternals tool that will be used to delete files), GnuPG (legitimate open source encryption tool), and a GnuPG library file.
The ransomware uses GnuPG to create an RSA-1024 public and private key pair that is used to encrypt and decrypt the files. It targets popular file types, mostly document, image, and database files.
“After encryption, the malware will change all associated *.vault file extensions to padlock icons. Each ‘locked’ and encrypted file will display a ransom note when opened,” Threat Response Engineer Michael Marcos explains.
A bigger and more detailed ransom note is displayed on the infected system’s desktop. Given that the ransom note and the ransomware support portal are in Russian, this campaign is obviously aimed at Russian-speaking users.
“The malware deletes key files, secring.gpg, vaultkey.vlt and confclean.lst, by using sDelete, a Microsoft Sysinternals tool. sDelete is is capable of overwriting a deleted file’s disk data that makes it difficult or nearly impossible to recover deleted files,” says Marcos.
“Though this isn’t the first time we’re seeing SDelete being used in crypto-ransomware attacks, it appears that this is a first for malware to use 16 overwrite passes to make sure that recovery tools will have a hard time trying reconstructing the deleted file.”
In the end, the ransomware also downloads and executes Browser Password Dump, a hacking tool capable of extracting passwords stored by a number of popular web browsers, which are then sent to the C&C server controlled by the attackers.