New crypto-ransomware “quarantines” files, downloads info-stealer

April 7, 2015 – 8:46 AM

Trend Micro researchers have found and analyzed a new piece of crypto-ransomware: CryptVault encrypts files, makes them look like files quarantined by an AV solution, asks for ransom and, finally, downloads info-stealer malware.

It arrives on target computers after the user has been tricked into downloading and running a malicious attachment – a Javascript file – that downloads four files: the ransomware itself, SDelete (a MS Sysinternals tool that will be used to delete files), GnuPG (legitimate open source encryption tool), and a GnuPG library file.

The ransomware uses GnuPG to create an RSA-1024 public and private key pair that is used to encrypt and decrypt the files. It targets popular file types, mostly document, image, and database files.

“After encryption, the malware will change all associated *.vault file extensions to padlock icons. Each ‘locked’ and encrypted file will display a ransom note when opened,” Threat Response Engineer Michael Marcos explains.


You must be logged in to post a comment.