Vaca Ransomware
The Vaca Ransomware is an encryption ransomware Trojan, a malware threat designed to use encryption algorithms to make the victim's files inaccessible. These threats do this to take the victim's files hostage, and then demand a ransom in exchange for returning access to the compromised data. Computer users should take precautions to ensure that their data is safe from threats like the Vaca Ransomware.
The Ruminant that will Chew Your Files
The Vaca Ransomware was created using the Xorist Ransomware builder, a utility that allows criminals to create variants in the same ransomware family to carry out ransomware attacks. The Vaca Ransomware is virtually identical to most encryption ransomware Trojans in the Xorist family. The Vaca Ransomware targets the user-generated files in its attacks, which may include various media files, documents, databases, configuration files and other commonly used file types. The following are examples of the files that threats like the Vaca Ransomware target in these attacks:
.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.
The Vaca Ransomware marks the compromised files by adding the file extension '.vaca' to their names. The Vaca Ransomware delivers a ransom note to the victim's computer in the form of a text file named 'HOW TO DECRYPT FILES.txt,' which contains the following text:
'Attention! All your files are encrypted!
To restore your files and access them,
please send an SMS with the text XXXX to YYYY number.
You have N attempts to enter the code.
When that number has been exceeded,
all the data irreversibly is destroyed.
Be careful when you enter the code!'
This SMS based payment method is not common and may be part of an identity theft tactic associated with the Vaca Ransomware. However, the criminals carrying out these attacks generally do not have any intention of helping the victims restore the compromised data and are generally just looking for ways to extort the victims of the Vaca Ransomware attack.
Dealing with a Vaca Ransomware Attack
The best way to deal with an infection by the Vaca Ransomware Trojan is to have backup copies of your data stored on the cloud or an external memory device. Having file backups ensures that any compromised files can be replaced without having to contact the criminals responsible for the attack. Apart from file backups, a security program should be used to prevent the Vaca Ransomware from being installed in the first place and remove it before it manages to compromise any data stored on the victim's PC.
