CryptoWall 4.0 users have found that Russian users are spared any encryption when the malware is deployed on their system. That’s because it checks for what keyboard is being used and if Russian is detected as the keyboard language then it will kill itself before encryption. This isn’t that much of a surprise since we’ve always known these guys were Russian (at least the spam servers) and target mainly the US and Europe. But everyone is susceptible to encrypting ransomware so here’s a look at a recent encrypting ransomware what will target Russians.

While this encrypting ransomware may look a little different, it’s pretty much the same as the rest; encrypt your files from a phishing email and hold them ransom for bitcoin payment via tor browser. The encryption routine is done using GPG Tool which is an open source encryption tool and appends the file extension to “.vault”

Once you enter the Onion link into a tor browser you’ll be presented with the following pages

The bitcoin currency is continuing its climb

This is the payment portal – The victim is subject to a price increase after 4 days.

This variant also introduces the “freebie” structure where it allows you 4 free file decrypts. This is so you know what the decryption routine is like and know that you’ll get your files back if you do pay the ransom.

Once you’ve paid for the ransom you have access to download the decryption tool from the portal.

MD5 Analyzed:

87c6023bf8922d84927247c15621a02e

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for more, but just in case of new zero day variants, remember that with encrypting ransomware the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Keeping it up to date is key so as not to lose productivity. Webroot has backup features built into our consumer product that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware you can just restore your files back as we save a snapshot history for each of your files up to ten previous copies. Please see our community post on best practices for securing your environment against encrypting ransomware.

 

 

 

Tyler Moffitt

About the Author

Tyler Moffitt

Sr. Security Analyst

Tyler Moffitt is a Sr. Security Analyst who stays deeply immersed within the world of malware and antimalware. He is focused on improving the customer experience through his work directly with malware samples, creating antimalware intelligence, writing blogs, and testing in-house tools.

Share This