Security researchers have recently found out a new variant of Ransomware dubbed ‘CRYPVAULT’, which makes encrypted files appear as if they were quarantined files. In the IT Security parlance, Quarantine denotes an encrypted repository that holds the virus infected file, so as-to ensure that it further does not affect the system.
What is CrypVault Ransomware?
A variant of CryptoLocker Ransomware, which prohibits the users from accessing their personal document files, zip files and a host of other files. Victims cannot access their files unless they have a private key, which is owned by the malware author and in order to obtain the key, the victim has to pay ransom amount to the cyber-criminal in virtual currency, such as Bitcoins.
So how does it work?
The malware enters into the user’s system through a spam email attachment. When the receiver of the email, executes this attachment, the payload is downloaded from the CnC server viz, GNU Privacy Guard (GnuPG) and a few other executables, which are then installed into victim’s computer. First and foremost, GnuPG is installed and executed which initiates the process of encryption, i.e. generation of the keys, viz RSA-1024 public and private key pair, which would be used for encryption. Thereinafter, the other downloaded files are executed which begin the actual process of encrypting the document files, image files and zip files present in users hard drive.
The files are appended with a .Vault extension so that they appear as if they have been quarantined. After the encryption process is complete, all the icon associated with .vault extension is changed to resemble a padlock.
An alert message and a text file that consists of instructions on how the victim can recover their encrypted files are displayed on the victim’s system. The ransom note, text file name and ransomware support portal are in Russian language. According to researchers, this ransomware is intended to target the Russians.
Researchers also found that malware deletes the key files which were generated during the initial stages of encryption with the help of SDelete, a Microsoft Sysinternal tool. The primary purpose of using this tool here is to permanently delete the files from victim’s operating system and the same cannot be recovered by any third party tools. Moreover, the number of overwrite passes used by the SDelete tool is more than 10, making it more difficult to recover the deleted files.
The malware also deletes Shadow Volume Copies and restore points from victim’s system, if any. This is to ensure that the victim is unable to restore data from System Restore Points.It was also observed that the malware is enthusiastic about acquiring user’s various logon credentials and achieves this task by downloading and installing Browser Password Dump, a hacking tool, which collects login password from various browsers such as Mozilla Firefox, Internet Explorer, Google Chrome and Safari. The logon credentials are then uploaded on to the Command and Control server.
So how can we safeguard ourselves against CrypVault Ransomware?
Below are some tips suggested for same:
- Use a trustworthy antivirus software (eScan) on regular basis, which will protect your system from malwares.
- Configure your antivirus settings to automatic system updates.
- Ensure that all software’s installed in your system are updated frequently, including Oracle Java and Adobe.
- Disable Auto-play of USB and Optical drives such as Pen drive, External Hard Disk and CD/DVD.
- Make sure that pop-up blocker is running in your web browser.
- Regularly backup your important files.
- Make sure that your web browser along with your operating system is frequently updated.
- Ensure that sensitive information is stored in encrypted form using various tools that are available.
