Russians Beware: You could be next target of CRYPVAULT Ransomware

Security researchers have recently found out a new variant of Ransomware dubbed ‘CRYPVAULT’, which makes encrypted files appear as if they were quarantined files. In the IT Security parlance, Quarantine denotes an encrypted repository that holds the virus infected file, so as-to ensure that it further does not affect the system.

What is CrypVault Ransomware?

A variant of CryptoLocker Ransomware, which prohibits the users from accessing their personal document files, zip files and a host of other files.  Victims cannot access their files unless they have a private key, which is owned by the malware author and in order to obtain the key, the victim has to pay ransom amount to the cyber-criminal in virtual currency, such as Bitcoins.

So how does it work?

The malware enters into the user’s system through a spam email attachment. When the receiver of the email, executes this attachment, the payload is downloaded from the CnC server viz, GNU Privacy Guard (GnuPG) and a few other executables, which are then installed into victim’s computer. First and foremost, GnuPG is installed and executed which initiates the process of encryption, i.e. generation of the keys, viz RSA-1024 public and private key pair, which would be used for encryption. Thereinafter, the other downloaded files are executed which begin the actual process of encrypting the document files, image files and zip files present in users hard drive.

The files are appended with a .Vault extension so that they appear as if they have been quarantined. After the encryption process is complete, all the icon associated with .vault extension is changed to resemble a padlock.

An alert message and a text file that consists of instructions on how the victim can recover their encrypted files are displayed on the victim’s system. The ransom note, text file name and ransomware support portal are in Russian language. According to researchers, this ransomware is intended to target the Russians.

Researchers also found that malware deletes the key files which were generated during the initial stages of encryption with the help of SDelete, a Microsoft Sysinternal tool. The primary purpose of using this tool here is to permanently delete the files from victim’s operating system and the same cannot be recovered by any third party tools. Moreover, the number of overwrite passes used by the SDelete tool is more than 10, making it more difficult to recover the deleted files.

The malware also deletes Shadow Volume Copies and restore points from victim’s system, if any. This is to ensure that the victim is unable to restore data from System Restore Points.It was also observed that the malware is enthusiastic about acquiring user’s various logon credentials and achieves this task by downloading and installing Browser Password Dump, a hacking tool, which collects login password from various browsers such as Mozilla Firefox, Internet Explorer, Google Chrome and Safari. The logon credentials are then uploaded on to the Command and Control server.

So how can we safeguard ourselves against CrypVault Ransomware?

Below are some tips suggested for same:

  • Use a trustworthy antivirus software (eScan) on regular basis, which will protect your system from malwares.
  • Configure your antivirus settings to automatic system updates.
  • Ensure that all software’s installed in your system are updated frequently, including Oracle Java and Adobe.
  • Disable Auto-play of USB and Optical drives such as Pen drive, External Hard Disk and CD/DVD.
  • Make sure that pop-up blocker is running in your web browser.
  • Regularly backup your important files.
  • Make sure that your web browser along with your operating system is frequently updated.
  • Ensure that sensitive information is stored in encrypted form using various tools that are available.
Posted in Security | Leave a comment

Are You Sure, You’re Not Dating Online With A Fraudster?

Online dating has become very popular these days and many people use internet to find their love. It provides a global reach for people who are hoping to find a right companion. This hope exposes them to many people, including fraudsters. Unfortunately, the internet is full of fraudsters who are waiting to hunt people genuinely looking for a partner. These scammers create fake profiles on genuine internet dating websites to target innocent people.

This Is How It Happens…                       romance_scams1

Scammers contact people online and show interest in them. They use an attractive looking fake profile and a model-like photo. For weeks or even months, they continuously chat to form a close connection. They may even sent gifts, flowers or cards to express their love. After developing a relationship with their victim, they convince the victim to send money. The demand for money can be a one-time affair, or repeated over a prolonged period of time. Victims can even be asked to move the conversation to any private chatting or social networking site, where the talk can even turn intimate.  According to researchers, the numbers of online dating scams are only increasing with time and 1 in every 10 profiles is a scam.

Similarly, online matchmaking is another side of the same coin. According to an online survey, matrimonial portals have become the most preferred option for soulmate seekers. With the extensive use of internet, the concept of a marriage agent with a huge photographs diary is slowly phasing out. Now, the search for companion starts from such matrimony sites, as these sites claims to expose you to a number of options. Matrimony scams is also known as ‘the romance scam’. On such matrimony sites, one person interacts with the other person to create a loving relationship. Unfortunately, scammers take advantage of this very emotion which is called love and request for money. The innocent lover immediately transfers the money to their supposed other half and get duped emotionally as well as financially. It is, therefore important to be careful of such scammers.

If your online date is a fraud then he/she will:

  • Request you to communicate using email or personal messaging
  • Declare his/her feelings of love instantly
  • Claim to be from foreign a country, where he/she is traveling or working
  • Send you a glamorous photograph which will actually be of a celebrity or model
  • Send gifts or cards to express his/her love
  • Show desperation to visit you but is unable to do so as he/she is caught up with some urgent task.
  • Make thousands of reasons for not meeting you in person.
  • Request for money and that the need for money is urgent and other relatives are not able to do so for many reasons.

online-dating-scamTherefore, it is very important to be careful of such scammers. Below are some important rules to consider while searching for a partner online in order to avoid scams and frauds.

  • Always carry out a clear background check of the person, both online and offline.
  • Ensure that photographs posted by the person on the online dating/matrimony sites are genuine and not morphed.
  • A model-like picture or an unclear picture on such sites can be tricky.
  • Match the person’s online matrimonial profile with his/her general social networking profile. Make sure it matches.
  • Check, who the person is associated with; it is always advisable to look at their circle of associates. A genuinely decent person will be linked with decent people.
  • If the person is not from the same city, connect with his/her family and friends, especially those who live in the same city.
  • Watch out for emails or messages that sound pleading in response to your refusal to send money.

Be careful! There are many online dating scams out there. Don’t become a victim. Have fun and safe dating!

Posted in Security | Tagged | Leave a comment

Are you hit by the Ransomware that demands ‘Paypal My Cash Cards’?

Mahatma Gandhi once said, “There is sufficiency in the world for man’s need but not for man’s greed.”Even in today’s times, these words are so true, especially when it concerns a criminal!

Are you a video gamer, who plays games such as Call of Duty,Star Craft 2, Fallout 3 on frequent basis?If yes, then you surely need to read this.Even if you don’t, you still need to know this.

According to a new research, a new file encrypting program has been discovered, which is used by hackers to extort money from users called TelsaCrypt Ransomware, which is the new version of Ransomware.

According to US-CERT, Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This type of malware, which has now been observed for several years, attempts to extort money from victims by displaying an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of $100–$300 dollars and is sometimes demanded in virtual currency, such as Bitcoin.

What is TelsaCrypt Ransomware?

A variant of CryptoLocker Ransomware which can prohibit users accessing their photos, personal documents and most importantly game files, making it unique when in comparison with Cryptolocker Ransomware. It is also called as Cryptolocker- v3, which will encrypt files present in user system. The private key is owned by the hacker and the victim has to pay a ransom demanded by the cyber-criminal to regain the access.

How does TelsaCrypt Ransomware work?

It typically propagates as a spam email attachment or as a Trojan that enters system bundled with a freeware or a downloaded file from Internet. Once entered the user’s system, it starts the process of encryption, i.e. encrypting document files, photos and gaming files present in hard drive.

Cryptolocker-v3 uses AES encryption, which encrypts following extensions: .xlsm, .syncdb, .pptm, .doc and .mdbackup files. To every extension which is encrypted extension, .Ecc is added. When the encryption of files is complete, all Shadow Volume Copies and restore points are deleted from victim’s system. This is to ensure that the victim is unable to restore data from System Restore Points.

After successful deletion of Shadow Volume Copy and restore points, victim’s desktop wallpaper is changed to a ransom note along with a text file that consists of instructions how victim can recover their encrypted files.

Researchers have also found that TelsaCrypt Ransomware might kill processes related to System Configuration (msconfig), Command Prompt (cmd.exe), Task Manager (taskmgr.exe), Registry Editor (regedit.exe) and Process Explorer (procexp.exe) which may make it difficult for user to remove the Ransomware. This type of Ransomware accepts Bitcoins as ransom payment and but also accepts ‘Paypal My Cash Cards’ making it a peculiar of its kind.

So how can we safeguard ourselves against TelsaCrypt Ransomware? Below are some tips suggested for same:

  • Update your antivirus software (eScan) on regular basis, which will protect your system from all kinds of Malware attacks.
  • Ensure that all software’s installed in your system are updated frequently, including Oracle Java and Adobe.
  • Avoid clicking pop-ups, especially displayed on an unknown website as it may lead to unintentional download of a Virus or Malware onto your system.
  • Never send or reply to emails which ask for sensitive information such as Credit card number, PIN (Personal Identification Numbers) and Bank account number to an unauthorized person.
  • Disable Auto-play of USB and Optical drives such as Pen drive, External Hard Disk and CD/DVD.
  • Make sure that pop-up blocker is running in your web browser.
  • Regularly backup your important files.
Posted in Security | Leave a comment