A new ransomware has been discovered by security experts. The ransomware is dubbed CrypVault and there are some differences in the way it functions compared to other ransomware. The threat also goes by the name BAT_CRYPVAULT.A. Users should not be tricked into paying the ransom. There is no assurance their files will be saved.
CryptVault Distribution Technique
After the four files are downloaded, they will be stored in the %User Temp% folder. The ransomware creators may also have added strings typical for malware scanner logs so that CrypVault is hardly detected.
CryptVault Encryption Method
After it is executed, a GNU Private Guard (GnuPG) will be installed. GnuPG is an open source encryption mechanism that initiates the file encryption. That is when the private and public keys are generated. As for the private key – it is most likely stored in a vaultkey.vlt file. Vaultkey.vlt consists of configuration information, the amount of encrypted files, and the PC names.
Here is a list of the targeted files:
- *.xls, *.doc, *.pdf, *.rtf, *.psd, *.dwg, *.cdr, *.cd, *.mdb, *.1cd, *.dbf, *.sqlite, *.jpg, *.zip
CrypVault also drops a .txt file and generates a message on the victim’s desktop. The message contains instructions on how to proceed to pay the fee and decipher the files. The attack is also suspected to target Russian-speaking countries because the ransomware’s components are written in Russian. That includes the name of the attachment, the ransom note, and the support portal.
CrypVault also employs the SDelete Microsoft tool in order to remove crucial files and to stop the victim from decrypting their files without paying the ransom. SDelete is frequently used by cyber criminals in crypto-ransomware invasions. However, the present case is probably the first one to employ 16 overwrite passes to reassure that no recovery tool may succeed in reestablishing the deleted data.
The malicious threat is then designed to download and execute a hacking tool dubbed Browser Password Dump suitable for Chrome, Firefox, Explorer, and Safari. The tool harvests browser credentials.
Users are advised not to pay the ransom because there is no guarantee their files will be decrypted. What victims may try doing is using their last backup in order to decipher their data.
The best measure against ransom malware is having important files stored on an external device or in a cloud.