Bitcoin Ransomware Education – Crypvault

Some of the more modern types of Bitcoin ransomware pose a significant threat to computer users to this very day. Crypvault is in the top three on that list, as this kind of malware includes some new routines that make life even harder for infected users. In fact, this is the first type of ransomware to include an antivirus toolkit preventing users from accessing files.

Also read: MAIDsafe Technical Analysis for 03/07/2016 – Trading Between Pivot Zones

Crypvault Quarantines Computer Files After Encryption

Any type of Bitcoin ransomware is annoying enough to deal with because it encrypts necessary file extensions on the computer. Not only are these files inaccessible to the end user, but most types of malware will also prevent users to restore files from a backup, as they affect shadow volumes in the file system.

Crypvault is proving to be quite an annoying type of Bitcoin ransomware in that regard. This malware encrypts files by appending a “.VAULT” extension to the data, but it also includes an antivirus service that keeps these files quarantined for a period of time. Unlike traditional antivirus solutions, which ensure ransomware infections cannot occur in the first place, this version is making life even more difficult for the computer owner.

Bitcoin ransomware has a habit of spreading through email attachments in the form of ZIP and image files, and Crypvault is not entirely different in that regard. However, this malware uses JavaScript files to infect computers, which will then download four different files from the malware’s C&C server.

As soon as these files are downloaded on the computer, Crypvault will execute the ransomware and save the downloaded files in the %USER TEMP% folder on the computer. Most of the existing antivirus software solutions will not flag these downloaded items as malicious, although updated versions of AVG and other tools should be able to detect it.

Encrypting the files is just the first step along the way, as Crypvault will generate a ransom note once the file is opened. Similar to most other types of Bitcoin ransomware, Crypvault will redirect users to a Tor-hosted website where they can make the Bitcoin payment. Restoring files from a backup is made all but impossible thanks to sDelete, which is downloaded as part of the malware infection.

To make matters even worse, Crypvault is also capable of stealing usernames and passwords stored in the browser. This dump of passwords will be uploaded to the Crypvault C&C server. It remains unknown as to how these passwords are used in the future, although it is not hard to guess why assailants would be interesting in this information.

Source: Trendmicro

Images credit 1,2

If you liked this article follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin and altcoin price analysis and the latest cryptocurrency news.