Vo_ Ransomware

The Vo_ Ransomware was discovered in December 2016, five months after the SQ_ Ransomware emerged on security reports. Both threats are encryption Trojans that are delivered to potential victims via spam emails. Additionally, the Vo_ Ransomware is a slightly improved version of the SQ_ Ransomware, and both Trojans come from the same developers according to security experts. The spam emails carrying the dropper for the Vo_ Ransomware appear to feature logos from banks and online stores and urge the user make a payment referred in the invoice attached. Needless to say, users are asked to open a macro-enabled document, which is designed to install the Vo_ Ransomware Trojan in the background.

The Vo_ Ransomware and the SQ_ Ransomware are the Two Faces of One Crypto Malware

When the Vo_ Ransomware is installed, it determines what type of drives can be accessed and how many files should be encrypted. The Vo_ Ransomware is designed to target data that is associated with text, images, spreadsheets, eBooks, presentations, audio and video. Analysts report that the Vo_ Ransomware combines the AES and RSA ciphers into its functionality. The Vo_ Ransomware creates a unique AES-256 encryption key, which is used to lock data on local and removable drives that are not read/write protected. When the operation is complete, the private key is encrypted with the RSA-1024 algorithm and sent with a POST request via HTTP protocol to the 'Command and Control' server. Affected files can be recognized by the 'Vo_' prefix placed before the original file name. For example, 'what is the speed of light.pptx' is transcoded to 'Vo_what is the speed of light.pptx,' and a white icon would be used instead of a thumbnail for the presentation. The managers behind the Vo_ Ransomware store these keys and users are left with a ransom note in the My Documents directory. The payment instructions are left by the Vo_ Ransomware in the form of 'VO_ IN DOCUMENTS..txt,' which reads:

'Good morning.
Your computer has been locked by ransomware, your personal files are encrypted and you have, unfortunately "lost" all your pictures, files, and documents on the computer. Your important files encryption produced on this computer: videos, photos, documents, etc.
Encryption was produced using unique public key RSA-1024 generated for this computer. To decrypt files you need to obtain the private key.

After payment send us your number on our mail pwwu@ruggedinbox.com and we will send you decryption tool (you need only run it and all files will be decrypted during 1...3 hours)
Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it - it's your garantee that we have decryption tool. And send us your number with attached file.
We dont know who are you. All what we need - it's some money.
Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter (for example if you use hotmail.com or outlook.com
it can block letter, SO DON'T USE HOTMAIL.COM AND OUTLOOK.COM. You need register your mail account in www.ruggedinbox.com (it will takes 1..2 minutes) and write us again)'

The Ransom Note that Comes with the Vo_ is Provided in English and Korean

The authors of the Vo_ Ransomware may want to go international and use English and Korean to reach out to victims. Reports from AV vendors suggest that most compromises involving the Vo_ Ransomware are centered around South Korea. However, there are samples of the Vo_ Ransomware that were found in spam emails sent to users in the Western hemisphere. We are yet to see a rise in attacks using the Vo_ Ransomware. It is recommended that PC users make backups, configure a backup program and make sure their archives are stored on a protected drive, preferably a USB drive as it can be easily disconnected. You should consider boosting your cyber defenses by installing a credible anti-spyware tool that can detect and block suspicious connections.