Veracrypt Ransomware
The Veracrypt Ransomware is a ransomware Trojan that is used to take the victims' files hostage and then demand the payment of a ransom. The Veracrypt Ransomware belongs to a large family of threats that is currently active. Members of the Veracrypt Ransomware family can be identified because they tend to use the extension '.xtbl' in their attacks. The Veracrypt Ransomware and its variants also tend to use very similar ransom notes and demand the payment of a ransom via email addresses belonging to the @india.com domain. The Veracrypt Ransomware's ransom note, like others belonging to this family, tend to include a large image in the background and only a short sentence instructing the victim to email the @india.com email address for instructions on how to pay.
Only a Decryption Key can Recover the Files Encrypted by the Veracrypt Ransomware
The Veracrypt Ransomware may be installed through the use of corrupted email attachments. When victims open this corrupted file, a secondary threat infection (known as a Trojan dropper) will take advantage of vulnerabilities on the victim's computer to install the Veracrypt Ransomware or other corrupted code. After the Veracrypt Ransomware has been installed, it makes changes to the infected computer settings, which allow the Veracrypt Ransomware to run whenever Windows starts up automatically. The Veracrypt Ransomware searches the victim's hard drive for files matching a list of extensions in its configuration settings. The Veracrypt Ransomware uses a strong encryption algorithm to encrypt these files.
The Veracrypt Ransomware will target files that would have value to the computer user, but avoid files that are necessary for Windows to work normally. This is because the Veracrypt Ransomware requires the Windows operating system remaining functional to deliver a ransom note and extract a payment from the victim. Essentially, the Veracrypt Ransomware takes the victim's files hostage and demands that the victim pays hundreds, or even thousands of dollars in exchange for the decryption key necessary to decrypt them. The files that have been encrypted by the Veracrypt Ransomware are inaccessible. Unfortunately, it is not possible to recover files that have been encrypted by the Veracrypt Ransomware without the decryption key. This is what makes threats like the Veracrypt Ransomware so effective; even if the threat infection itself is removed, the files will remain encrypted and inaccessible.
How the Veracrypt Ransomware Attack is Carried Out
Using either social engineering or hacking directly into the victim's computer, the Veracrypt Ransomware will be installed. The Veracrypt Ransomware executable file may be dropped into one of the following directories:
%AppData%
%Roaming%
%Local%
%LocalRow%
%Windows%
%System%
%System32%
%Temp%
This file will usually have a name that makes it appear as if it is a harmless Windows system file. When carrying out its attack, the Veracrypt Ransomware will search for the following types of files and encrypt them using its sophisticated encryption algorithm:
PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG.
