‘CrypVault’: script-kiddie ransomware, but it’s just as effective
Tue 7 Apr 2015
Researchers at Trend Micro have identified a new strain of ransomware, dubbed ‘CrypVault’, which is characterised by its imitation and evasion of legitimate antivirus software – and by a disarming lack of sophistication in its assembly.
“…despite being a new crypto-ransomware variant,” the report says. “CRYPVAULT appears to possess limited functionalities as it is not coded using programming language,” Noting that the crypto-ransomware does not use imported libraries or ingenious functions, the report goes on to note “This shows how easy it is for cybercriminals to create new crypto-ransomware variants,”
CrypVault infects the end-user with a malicious JavaScript file, delivered via an executable in an email attachment, which immediately proceeds to download four component files: BAT_CRYPVAULT.A (the core ransomware), GNU Privacy Guard (GnuPG, an open source encryption tool which the core ransomware renames to the universally-found ‘svchost.exe’), the Microsoft/SysInternals hard-erasure program SDelete (renamed to the equally ubiquitous ‘audiodg.exe’), and a library file necessary for the functioning of GnuPG (renamed to the conventional-sounding ‘iconv.dll’).
With the downloaded files executing from Windows’ %User Temp% folder, GnuPG will, under CrypVault’s direction, proceed to encrypt files with extensions indicating personal or valuable user content, such as Microsoft .doc and .xls, sqlite (small local databases), jpg, Photoshop .psd and a raft of other promising hostages.
The methodology of the attack is evasive and thorough – the extensions on the encrypted/ransomed files are renamed to .vault, commonly used by real antivirus software which has identified and quarantined malicious files for the user to make a decision on at their leisure. With the hostages taken, CrypVault runs a script which displays the ransom message to the end user. Since the attackers are seeking to avoid detection, the unlocking instructions mandate the use of the Tor browser, which provides diminishing but still largely effective anonymity. Once at the ransom site, the victim will need to upload a hash key created on the local disk by the infecting components, and can then run through payment procedures in order to be given the ability to unlock their files.
Unsurprisingly, that is not the end of it: the infection is also keen to obtain victim passwords and to this end the malware also installs Browser Password Dump, which will attempt to obtain passwords from any of the many supported web browsers that the victim may have installed. Once exfiltrated, the passwords will be uploaded to the attackers’ C&C server via a Visual Basic script entitled – in a rare example of candour – ‘up.vbs’.
The infection package seems to have been concocted originally with Russian victims in mind, given the numbers of Russian-language iterations of the ransom note which are produced in the infection process.
The report notes that CrypVault cleans up after itself very effectively, in order to avoid becoming the subject of security research: “Though this isn’t the first time we’re seeing SDelete being used in crypto-ransomware attacks, it appears that this is a first for malware to use 16 overwrite passes to make sure that recovery tools will have a hard time trying reconstructing the deleted file,”
The use of the .vault extension and the elaborate renaming of the malicious components suggest above-average concern to avoid automated defence software – although any effective security solution would not only want to know what a running process is called, but if it is operating from the correct folder and behaving within expected parameters.
