Cybercriminals seem to be fine-tuning marketing tactics as we head into the holiday season. We hold as evidence a new malware that encrypts all files on a victim’s computer and then demands $69 for the unlocking tool.
The market-savvy twist? The crooks offer irate victims a free trial version of the tool that will allow them to salvage three precious files.
Trojan.Crypt.VB.U encrypts or locks files on the host computer and tells users to buy the $69 full version of the unlocking tool. If they’re reluctant to buy software from proven cybercrooks, they can download the trial version first.
Some versions of this Trojan start locking files once on the system, while other variants start wreaking havoc only after the system is rebooted. This Trojan works silently, in the background.
This ransomware is careful enough not to lock system files (with extensions .exe, .ini .sys, .com, .bat, .dll, .msi, or .ocx), to ensure the system remains functional. After all, the crook will need the computer to get in touch with the victim to deliver the ransom demand.
The Trojan is constantly improved, with new variants. Newer versions are more efficient than the older ones as they only select and lock a few vital files from an application folder and not all of them. Almost all non-critical folders are locked.
While the approach is unusual, the encryption algorithm is unsophisticated. The Trojan encrypts the files using the simple XOR algorithm, adds a header, and in the end it reverses the files. The system will not recognize the file format (and won’t be able to start them), but the mastermind behind this operation will be able to decrypt the files in no time – after the victim pays up.
Once all files have been locked, the Trojan opens a webpage in the browser to tell the victims they are about to be ripped off.
From the webpage, users find out that some of their folders are encrypted and cannot be accessed. Not everything is lost, as they are offered a solution for a $69 fee. To assure users of the efficiency of the paid tool, crook offer a demo version that can only decrypt 3 files.
The ransomware has a folder icon with a double extension: “.zip.exe” that the Trojan desperately tries to hide so as to pass undetected. For that to happen, Trojan.Crypt.VB.U regularly checks the Registry and performs the necessary operations to hide the extensions for known file types (the file appears thus to be a mere archive, since only the .zip extension will be visible to the user), should users change this setting in the meantime.
On the system drive, the ransomware saves in a hidden folder called “rootsetup” the following files:
– eve.ini -> storing the flag used by the two dropped files to synchronize;
– mafw.dat -> a copy of the malware, because the original one is deleted;
– setdat.dat -> contains configuration details including the website to be opened when the user is notified about his locked files;
– setupc.exe -> one of the two dropped files, responsible with maintaining a system configuration and with creating initialization files for the ransomware;
– setupp.exe -> one of the two dropped files, responsible for encrypting files;
Setupp.exe and setupc.exe keep each other running, an approach commonly known as watchdog safeguarding. To stop the ransomware, the two files must be killed simultaneously, otherwise the remaining running process will open the other.
Trojan.Crypt.VB.U creates a hidden file called _galaxy.exe on the system drive (which is a copy of itself) when it finishes encrypting/locking files. The dropper (which saves all these files) starts setupc.exe and setupp.exe. The system is instructed to run these two files at system startup.
This article is based on the technical information provided courtesy of Doina Cosovan and Mihai-Cătălin Șalgău, Bitdefender Virus Analysts.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.