Today’s viruses are getting seriously scary. We’ve got a frightening new virus to tell you about today. This virus will quarantine your files like most ransomware, but then it will also download an info-stealer and hijack your personal information.
The new virus is called CrypVault and it has some things in common with infamous ransomware software CryptoLocker.
CrypVault will actually encrypt your files and make them look like files that have been quarantined by legitimate antivirus software. Then, CrypVault will demand a ransom in exchange for your files.
As if that wasn’t bad enough, CrypVault will cap off its performance by downloading an information stealing application.
Here’s how the attack proceeds:
Step 1) The user launches the attack inadvertently by being tricked into downloading and running a malicious attachment that comes in the form of a JavaScript file.
Step 2) That JavaScript file will immediately download four files, including the ransomware, SDelete, GnuPG, and a GnuPG library file. SDelete is a MS Sysinternals tool that is used to delete your files, while the last two items on the list are open source encryption tools and library files that will securely lock up your precious files.
Step 3) The ransomware will begin using GnuPG to create an RSA-1024 public and private key pair that is used to encrypt and decrypt your files. The ransomware particularly seeks out popular file types like documents, images, and database files – you know, files you actually care about.
Step 4) After encrypting your files, the malware will then change all the new .vault files it created into padlock icons. When you click on these padlocked files, you’ll get a warning message demanding a ransom.
You’ll also see a more descriptive ransom message displayed on your desktop. The ransom note and support documents are all written in Russian, so it’s pretty clear this malware is targeted towards Russian computer users.
Step 5) Whether you pay the ransom or not, the malware will then begin to download and execute the Browser Password Dump. This is a hacking tool which sniffs out passwords stored in your browser. These passwords are then sent back to the main command and control server.
“Difficult or Nearly Impossible” To Recover Files
Whether you pay the ransom or not, your files are virtually impossible to recover. According to Threat Response engineer Michael Marcos’s Trend Micro security blog, the malware deletes keys and overwrites the blank hard drive space:
“The malware deletes key files, secring.gpg, vaultkey.vlt and confclean.lst, by using sDelete, a Microsoft Sysinternals tool. sDelete is capable of overwriting a deleted file’s disk data that makes it difficult or nearly impossible to recover deleted files,” says Marcos.”
In other words, you shouldn’t pay the ransom. You’ll just have to accept that your files are gone.
The best way to recover your files from a ransomware attack is to restore backups from either an external hard drive or from cloud storage. If you didn’t make a backup, then you could be out of luck.