Trend Micro researchers have found and analyzed a new piece of crypto-ransomware: CryptVault encrypts files, makes them look like files quarantined by an AV solution, asks for ransom and, finally, downloads info-stealer malware.
The ransomware uses GnuPG to create an RSA-1024 public and private key pair that is used to encrypt and decrypt the files. It targets popular file types, mostly document, image, and database files.
“After encryption, the malware will change all associated *.vault file extensions to padlock icons. Each ‘locked’ and encrypted file will display a ransom note when opened,” Threat Response Engineer Michael Marcos explains.