Threat Database Ransomware KRIPTOVOR Ransomware

KRIPTOVOR Ransomware

By GoldSparrow in Ransomware

The KRIPTOVOR Ransomware is a dangerous ransomware Trojan that also has information collecting capabilities. The KRIPTOVOR Ransomware is mostly used to attack Russian targets, and its name is the combination of the words 'steal' (kripto) and 'vor' (thief). The main purpose of the KRIPTOVOR Ransomware is to attack businesses in Russia as well as International companies that have business connections in this country. The KRIPTOVOR Ransomware is modular, making it easy for attackers to customize the KRIPTOVOR Ransomware for their purposes by using specific modules. The KRIPTOVOR Ransomware first appeared as a cryptocurrency gathering threat that gradually evolved to include ransomware components. The first variant that included ransomware features appeared in 2014, encrypting files and changing their file extension to .JUST, as well as demanding payment of a ransom via a ransom note. This is typical of how cryptoransomware infections operate.

How the KRIPTOVOR Ransomware Spreads

The most common way in which the KRIPTOVOR Ransomware spreads is through the use of corrupted email attachments. The email messages most commonly spreading the KRIPTOVOR Ransomware use the subject line Резюме на вакантную должность ('Resume for the vacant post') and a spoofed email address. Several compromised email addresses associated with the KRIPTOVOR Ransomware have been identified by PC security researchers. This email message contains an attachment in the form of a Word document. This document says: 'Дважды кликните, чтобы открыть резюме в Adobe Reader' (Double-click to open the resume in Adobe Reader). This threatening Word document has an embedded a corrupted file that installs threats on the victim's computer.

How the KRIPTOVOR Ransomware is Installed

The KRIPTOVOR Ransomware has several safeguards to detect if the KRIPTOVOR Ransomware is in a virtual environment or if the victim's computer lacks an Internet connection. Once the KRIPTOVOR Ransomware has ensured that it is located on a vulnerable computer, the KRIPTOVOR Ransomware installs a false certificate and downloads a compromised file that is placed on the victim's computer as a hidden, password-protected compressed RAR archive. The file, named 'AdobeSystems.exe' is the executable for the KRIPTOVOR Ransomware's infection. The KRIPTOVOR Ransomware will do two things: the KRIPTOVOR Ransomware will scan the victim's computer for files to encrypt, targeting documents, pictures, database files and similar potentially important files. The KRIPTOVOR Ransomware will also look for specific strings in these files that may indicate that the files contain login or password information. If they do, the KRIPTOVOR Ransomware will mark these files and collect the information contained in it, apart from encrypting them.

How the KRIPTOVOR Ransomware Takes the Victim’s Computer Hostage

The KRIPTOVOR Ransomware uses LockBox 3 to encrypt the victim's files. The KRIPTOVOR Ransomware sends the private key to the attacker using an email and retains the public key. Each file is encrypted using a generated random AES key that is encrypted by using the public key and stored in the encrypted file. If packet capture is enabled on the affected network, it may be possible to obtain the private key because it is sent without encryption. To search for the private key, one would search for the following string in the email's subject line: 'Locked: ()'. The ID is the identifier contained in the KRIPTOVOR Ransomware's ransom note.

After encrypting the victim's files, the KRIPTOVOR Ransomware will display a ransom note on the victim's computer. The text in the ransom note, displayed in Russian, is translated roughly as:

The cost of the decryptor can be obtained by writing an email to: payment.cashery@gmail.com
In the subject line please include your ID:6756193866
Please do not try to decrypt the files using third-party tools.
You can completely corrupt them, and even the original decryptor will not help.
Requests will be accepted until 3/18/2015
After 3/18/2015 requests will be ignored.
Emails are handled automatically by the system.
There may be a delay in responses

The date of the message will depend on the date of infection. The best way to protect your data from the KRIPTOVOR Ransomware is to maintain regular back-ups of all important files, as to not need to pay the ransom in order to recover them. Establishing safe online browsing protocols will avoid falling prey to phishing emails like those used to distribute the KRIPTOVOR Ransomware.

Trending

Most Viewed

Loading...