Ransomware has been the preferred tool of cyber criminals for making quick money. A new variant is in our midst known as VaultCrypt which is quite different from other encrypting malware in appearance and behavior. Unlike other ransomware that directly demand payment to unlock your encrypted data, VaultCrypt turns up the dishonesty levels even higher by pretending to direct you to customer support. This malware has been circulating in Russia since late February, but now, it is starting to spread to other parts of the world as well. Bleeping computer, with the help of members from the Emsisoft team have analysed this threat in detail.
Ransomware offers help and assurance to expedite payment
VaultCrypt gets its name from the file extension .vault. Once loaded in memory, the malware encrypts any files that it can find, changes their extension to .vault and replaces the icon with a lock symbol. When the user tries to access or open any such file, an alert pops up with an onion domain address which can only be accessed through a tor browser. This ensures that the cyber criminals remain anonymous and their actions untraceable. On visiting the webpage, the user is greeted with a login window. After entering the information (found in a vaultkey.vlt file stored locally) and logging in, the user is presented with an overview showing statistics relating to the encrypted files and the required payment amount. The website even offers the ability to chat with the hackers for help. In order to convince the user that their data can be retrieved, the website decrypts 4 of the encrypted files for free.
It seems the cyber criminals have taken a different approach here. Instead of storming the user with threats and warnings, the hackers masquerade as customer support in order to appear more trustworthy.
The Vault: What goes in never comes out
To make sure that its task is complete, VaultCrypt uses Microsoft’s secure delete feature to completely erase the original files by overwriting them 16 times. This means they cannot be un-deleted or restored with the help of file/data recovery programs.
The greed of cyber criminals knows no bounds so to make things worse, VaultCrypt also downloads another malicious file from an onion domain which steals login data from websites visited by the user. Onion domains are known as the dark side of the web and are the birthplace of all illegal activity. Thus, the user is exposed to several other threats while trying to deal with this one.
The worst part is, it is unlikely that you will be able to recover your data from VaultCrypt without paying the ransom. This is why, once again, we emphasize the need for regular backup’s and having up to date protection. After all, it is better to be safe than sorry.
Have a nice (ransomware-free) day!
Related Posts:
- Copycat Ransomware “Locker” Emerges
- Ransomware Cryptowall makes a comeback via malicious help…
- Android Outbreak: Koler ransomware has learned how to worm
- Warning: File Encrypting Ransomware, Now on Android
- New Cryptolocker variant attacks games
VaultCrypt ransomware offers fake customer support
A widespread security bug has been discovered by Palo Alto Networks which affects almost 50% of all devices running Android OS. The vulnerability allows an application installation to be hijacked and the installation contents modified, without authorization, after the review/verification process. The greatest threat is while installing content from 3rd party stores (apart from the Google Play store) in which the installation files are downloaded to an insecure location (unprotected SD card storage).
According to this post, researchers at Google have discovered that fake digital certificates are being used for several of their domains. Digital certificates, in a nutshell, are electronic documents used to verify a digital entity’s identity. That entity can be a website you connect to, a software developer you download a product from, or even another person with whom you want to establish secure communications. Digital certificates are crucial to modern day e-commerce, banking, software development and just about any other type of information sharing that gets done on the web. To learn more about digital certificates and why they’re important, see this article.
Twitch is a popular video network for gamers and accounts for 1.8% of all internet traffic in the U.S (during peak times) which is more than Hulu, Amazon and even Facebook. The social network for streaming, now owned by Amazon, recently announced that some of their user accounts may have been hacked. Although they have not fully declared a data breach, many users were sent an email telling them that their account information may have been accessed by unauthorized entities.
Magnetic Resonance Imaging or MRI is a lifesaver when it comes to detecting tumors and other anomalies, but its uses do not end there. MRI also gives us insight into the functioning of our brains and helps us analyse and understand various mental phenomenon. A recent study conducted by a team of researchers from Brigham Young University, the University of Pittsburgh, and Google using this groundbreaking device has shown that in most people, the brain turns inactive while answering a security alert. This is the result of a habituation. When we receive the same information repeatedly or too often, our brains start ignoring it, but as we all know, answering a security alert with a shut brain isn’t a very wise choice.
BIOS or basic input/output system is the program used by a processor to get a computer to start up successfully. It is a small piece of software designed by the computer manufacturer that is mostly untouched and rarely modified. Although the BIOS is a difficult place for malware to get into, once embedded, the malware enjoys a seat of power and is very difficult to remove. There are very few well documented in the wild attacks involving the BIOS, which has lead to manufacturers being lousy with security updates. In fact, most never update their BIOS at all. This means there are a lot of vulnerabilities that could easily be exploited by cyber criminals.
When consumers make purchases from a retailer and a credit or debit card is used, a PoS system is used to read the information stored on the magnetic stripe on the back of the credit card. PoSeidon seeks to extract credit card data and searches the computer memory for credit/debit card sequences. It then matches them with the known formats of Visa, Mastercard, AMEX and Discover. It uses the Luhn algorithm to check if the captured sequence is a valid card number. How PoSeidon works is illustrated in this diagram.
WhatsApp is loved by many. When the social network company announced a new voice call feature, it was met with excitement. Many users are anxious to try it out. But scammers are looking to take advantage of this enthusiasm by fooling users into thinking that completing a certain survey can give them immediate access to this new feature, which is still in development.
Upon launch, the malicious program asks the user for elevated (administrator) privileges. Denying the request does not help, since the message keeps repeating until the user complies, which effectively blocks the use of the device. Once the privileges have been granted, the legitimate application is downloaded and installed, which seems harmless enough. But closer inspection reveals that the program continues to enjoy administrator privileges even after the installation, which it can use for its malicious activities. Any attempt to deactivate these privileges results in uncanny behavior, such as the screen turning off and on without any confirmation of the requested change. Once rooted in the system, the malicious program is difficult to remove as the delete option for the app is also disabled.
Ransomware has become a major part of online threats, and that is no surprise considering there is an incentive of immediate financial gain involved. Cryptolocker is a widespread ransomware which like most others, encrypts files belonging to the victim and then demands a ransom. In the last few days, a new variant of this threat has emerged, which specifically attacks games. Unlike most other ransomware variants that just encrypt text and image files that are easily accessible in the documents folder, this one encrypts game save content and DLC (extra downloadable content) as well.
Ever since the discovery of FREAK, security experts at Microsoft, Apple and Google have been scrambling for a fix. This major SSL vulnerability allowed hackers to force a browser to use weak 512-bit encryption keys that could be cracked easily, leading to a man-in-the-middle attack. The good news is that all three companies have finally released patches that make “FREAK” nothing more than a horror of the past.
Infamous ransomware Cryptowall has made a comeback, according to a recent Bitdefender discovery. This time, the ransomware spreads through mass spam emails that contain malicious .chm attachments that execute malware upon opening.
uTorrent, one of the most popular torrent clients for P2P file sharing, has reportedly been installing a Bitcoin miner silently in the background with version 3.4.2 build 28913, without user permission. uTorrent representatives have denied the claim and said it’s “impossible” for any promotional software to be installed without the user’s consent.
FREAK, which stands for Factoring RSA Export Keys, is a massive HTTPS security flaw that allows attackers to decrypt HTTPS-protected traffic when users are accessing secure websites on their Android/Apple devices. The scariest part is that this vulnerability has been present for over a decade and was only recently discovered by security experts.
Europol, assisted by Microsoft, Symantec, and Anubis Networks have successfully taken down a massive bot network that infected over 3.2 million computers. This huge network was created by infecting computers with the Ramnit malware. Police from Germany, Italy, the Netherlands, and the UK were involved as they shut down several servers being used for this purpose.